Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

.Net XSS

From: "DokFLeed" <dokfleed () dokfleed net>
Date: Tue, 11 Oct 2005 09:39:29 +0400
we are working on a white paper on XSS threats on a .Net platform ,
.Net has a feature to stop <script> and some other XSS parameter.
in this testing case you could still write to the HTML code through a "GET" parameter in a LOGIN.aspx 
you can even write to the "action" parameter of the form.
i.e action="login.aspxANY INJECTED CODE HERE"
all the arguments so far, even with this vulnerability there isn't much you can do since its on .Net platform 
apparently any JavaScript redirect isn't working
writing to the action with "@" isn't working as well
i.e. action="login.aspx () anotherloginpage aspx "

any tricks?

Dok





------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: 

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: