WebApp Sec: Re: Universal PDF XSS Remediation (Fix)

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

Re: Universal PDF XSS Remediation (Fix)

From: Tim Brown <tmb () 65535 com>
Date: Tue, 20 Feb 2007 00:19:48 +0000

Folks,

On an assessment at the moment and we have an opportunity to inject into a 
cookie.  The application however encodes our input using URL encoding.  Does 
any one know if there any way to exploit this?  Standard %0a %0d attacks 
won't work as % is reencoded as %25.

Cheers,
Tim
-- 
Tim Brown
<mailto:tmb () 65535 com>

-------------------------------------------------------------------------
Sponsored by: Watchfire

Securing a web application goes far beyond testing the application using 
manual processes, or by using automated systems and tools. Watchfire's 
"Web Application Security: Automated Scanning or Manual Penetration 
Testing?" whitepaper examines a few vulnerability detection methods - 
specifically comparing and contrasting manual penetration testing with 
automated scanning tools. Download it today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fH6
--------------------------------------------------------------------------

By Date By Thread

Current thread:

Universal PDF XSS Remediation (Fix) Cyrill Brunschwiler (Feb 12)
- Re: Universal PDF XSS Remediation (Fix) Amit Klein (Feb 13)
  - RE: Universal PDF XSS Remediation (Fix) Cyrill Brunschwiler (Feb 14)
    - Re: Universal PDF XSS Remediation (Fix) Amit Klein (Feb 14)
    - Re: Universal PDF XSS Remediation (Fix) Amit Klein (Feb 15)
    - Re: Universal PDF XSS Remediation (Fix) Tim Brown (Feb 20)
- Re: Universal PDF XSS Remediation (Fix) Ivan Ristic (Feb 13)
- Message not available
  - RE: Universal PDF XSS Remediation (Fix) Cyrill Brunschwiler (Feb 14)