|
WebApp Sec
mailing list archives
Re: XSS - Double Quote break out and White Space filtered
From: Marc-André Laverdière <marc-andre () atc tcs com>
Date: Tue, 09 Jun 2009 10:21:25 +0530
You can have a look at the Google Browser Security Handbook:
http://code.google.com/p/browsersec/wiki/Main
It may not exactly answer your question, but its a useful reference and
could help you get your answer :)
--
Marc-André Laverdière
Software Security Scientist
Innovation Labs, Tata Consultancy Services
Hyderabad, India
arvind doraiswamy wrote:
@Portswigger: The <IMG SRC> did work..thnx.
@Mugdha: The < and > was blocked. We tried your suggestion, Unicode
and that worked too. I'd swear we'd tried that out though :rollseyes.
Thanks anyway.
@Walid: No I'm not designing the wargame though that may be a nice
idea going forward :D.
The final bypass hence turns out to be document.write("\u003cimg src=a
onerror=alert(1)\u003e")
A final question though. How does the browser interpret Unicode and
Hex and all that? As in yes..I understand there is intelligence built
in to it but how does it decide..Right...This is Unicode. This is URL
Encoded. This is Hex..This is normal text. Is it just by the \u \x %
...?? Or is it something deeper. Are there a few good reads?
Thanks
Arvind
 By Date 
By Thread
Current thread:
- Re: XSS - Double Quote break out and White Space filtered, (continued)
| 
Intro
