cross site scripint and post form

From: Carbone (carbonate@ifrance.com)
Date: 10/10/01


Message-ID: <004801c151c4$c8114760$983fbcac@moi>
From: "Carbone" <carbonate@ifrance.com>
To: <security-basics@security-focus.com>
Subject: cross site scripint and post form
Date: Wed, 10 Oct 2001 21:50:13 +0200

Hello everybody

A little question about cross site scripting. It's very easy to exploit this
vulnerability with a "get" form : we just have to send at the victim a link
like http://www.bla.com/foo.pl?blabla="attacker script". Then foo.pl output
is the attacker script, and this script is executed on the victim navigator.
But how to exploit this hole if the form of www.bla.com make a post request
instead of a get request ? With a post request, we are not able to make the
url like above.

We see everywhere on the web that the solution against cross site scripting
is to escape the special characters of the form. But maybe it's more easy to
avoid GET forms ? Or maybe i miss something, and it's possible to exploit
POST forms...

What is your opinion about that ?

Thank you

 
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif



Relevant Pages