Re: Can you exploit this XSS?
From: Paul Johnston (paul_at_westpoint.ltd.uk)
Date: 11/19/03
- Previous message: Robin: "Re: Can you exploit this XSS?"
- In reply to: Robin: "Re: Can you exploit this XSS?"
- Next in thread: Scovetta, Michael V: "RE: Can you exploit this XSS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Nov 2003 16:42:25 +0000 To: Robin <robin@technophobia.co.uk>
Hi Robin,
There is a twist to this you have missed - the user controlled input
comes INSIDE the quote marks, and quote characters are escaped. So
there's no immediately obvious way to get script into the page, although
I imagine it is possible.
http://xyz/sdfdsf.htm The output now includes:
<input type="hidden" name="targeturl"
Paul
Robin wrote:
> Just by virtue of being able to get script into the page it can be
value="sdfdsf.htm<script>alert("hello")</script>">
> exploited. What can be gained from the exploit is dependant on what
> the app/site does.
>
> XSS is commonly used to collect session id's so an attacker could
> gather those using this weakness.
>
> Robin
>
> Paul Johnston wrote:
>
>> Hi,
>>
>> While auditing a web app, I've found the site redirects not found
>> pages to a login screen. This contains an element like:
>>
>> <input type="hidden" name="tageturl" value="XXX">
>>
>> Now, the XXX bit is controlled by the user, and it seems the only
>> characters escaped are " and & - i.e.
>> <script>alert(document.cookie)</script> gets through (hence my tool
>> alerted me).
>>
>> Can this be exploited for XSS? I can't see how to immediately, but it
>> seems possible.
>>
>> Paul
>>
>
--
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@westpoint.ltd.uk
web: www.westpoint.ltd.uk
