Can you exploit this XSS?
From: Paul Johnston (paul_at_westpoint.ltd.uk)
Date: 11/19/03
- Previous message: Aaron Adams: "Re: GetPC code (was: Shellcode from ASCII)"
- Next in thread: Robin: "Re: Can you exploit this XSS?"
- Reply: Robin: "Re: Can you exploit this XSS?"
- Maybe reply: Paul Johnston: "Re: Can you exploit this XSS?"
- Maybe reply: Scovetta, Michael V: "RE: Can you exploit this XSS?"
- Reply: dd: "Re: Can you exploit this XSS?"
- Maybe reply: Dawes, Rogan (ZA - Johannesburg): "RE: Can you exploit this XSS?"
- Reply: mark: "Re: Can you exploit this XSS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Nov 2003 12:51:17 +0000 To: vuln-dev@securityfocus.com, rich@westpoint.ltd.uk
Hi,
While auditing a web app, I've found the site redirects not found pages
to a login screen. This contains an element like:
<input type="hidden" name="tageturl" value="XXX">
Now, the XXX bit is controlled by the user, and it seems the only
characters escaped are " and & - i.e.
<script>alert(document.cookie)</script> gets through (hence my tool
alerted me).
Can this be exploited for XSS? I can't see how to immediately, but it
seems possible.
Paul
-- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul@westpoint.ltd.uk web: www.westpoint.ltd.uk
- Previous message: Aaron Adams: "Re: GetPC code (was: Shellcode from ASCII)"
- Next in thread: Robin: "Re: Can you exploit this XSS?"
- Reply: Robin: "Re: Can you exploit this XSS?"
- Maybe reply: Paul Johnston: "Re: Can you exploit this XSS?"
- Maybe reply: Scovetta, Michael V: "RE: Can you exploit this XSS?"
- Reply: dd: "Re: Can you exploit this XSS?"
- Maybe reply: Dawes, Rogan (ZA - Johannesburg): "RE: Can you exploit this XSS?"
- Reply: mark: "Re: Can you exploit this XSS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
