Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CSS dangers with XSS?

From: dork () gmx at
Date: Wed, 15 Mar 2006 03:09:58 +0100
hi!

if you just mean further requests that could be triggered, there would be the 
IE specific 
   filter:... src='http://example.com/...'
but if you mean anything like css triggered javascript, afaik 
   behavior:url(javascript.htc)
is the most dangerous, but uses url() and is restricted, especially under 
newer ie/xp sp2 combinations (and does only work under internet explorer 
anyway)

do not forget about quotes in general to avoid event handler registration. if 
you display custom input within attributes (such as href), you should 
consider opt-in instead of opt-out filtering. there are always new browser 
features or possibilities like 
   <a href="http://example.com%2F redir=test.com">.
pedantic rule of thumb: if there is an rfc or any other standard limiting 
allowed chars to a specific encoding, a given range of possible values or a 
specific type, you generally do not have to allow anything different. an 
exception could be some vendor specific *extension*. if you use a provided 
string in an output, that normally would need a special encoding, treat it 
like this, regardless of the kind of usage you planned.

hth, if i didn't get your question wrong.

On Monday 13 March 2006 22:04, offset wrote:

Hello fellow pen-testers.

Trying to increase my test data for XSS.

Anyone know of any other CSS dangerous tags other than url() that could be
used to bypass XSS filters that filter out the typical <>%{}\[]    etc?

Thanks in advance,



------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
As attacks through web applications continue to rise, you need to proactively 
protect your applications from hackers. Cenzic has the most comprehensive 
solutions to meet your application security penetration testing and 
vulnerability management needs. You have an option to go with a managed 
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). 
Download FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com
------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: