> Has anyone had an instance where they saw a successful Cross Site Scripting
> Exploit by receiving a script in a URL response but not in the body of the
> returned document.
>
> For example:
>
> HTTP/1.1 302 Moved Temporarily
> Server: Sun-ONE-Web-Server/6.1
> Date: Tue, 29 Jun 2004 00:26:25 GMT
> Content-type: text/html
> Location:
> http://www.website.com/search/tips.jhtml?statusCode=zeroresults&query=hello&
> searchscope=>"><script>alert('XSS')</script>&userQueryCorrected=hello&_reque
> stid=10756
> Connection: close
>
> <HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD>
> <H1>302 Moved Temporarily</H1><BODY>
> </BODY>
>
I can't think of a situation you could pull off a XSS with this, but if
you can inject CR/LF into the reply, then you can put your own headers
in (which can be very useful), or forge an entire HTTP reply header.
See: http://www.sanctuminc.com/pdf/whitepaper_httpresponse.pdf
tim
Received on Jul 02 2004
Intro
