Re: Can you exploit this XSS?

From: Paul Johnston (paul_at_westpoint.ltd.uk)
Date: 11/20/03

  • Next message: Kurt Seifried: "Re: openbsd 3.4 ps bug"
    Date: Thu, 20 Nov 2003 10:00:08 +0000
    To: dd <dd@ghettohackers.net>
    
    

    Hi,

    > Given you description, this is not normally exploitable. Depending on
    > the browser it may be possible to trick some browsers into thinking
    > your html is broken by injecting line feeds and starting up new tags.

    Thanks for the info. I did some tests, and it turns out latest IE and
    Netscape execute the javascript in this example (note the missing ")

      <input type="hidden" name="targeturl"
    value="xyz><script>alert('hello')</script>

    So, this would be relatively easy to exploit, but the web app sensibly
    uses the strict dtd:

      <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

    And so it really is not exploitable in this situation.

    Paul

    P.S. Thanks to Mike Brownbill for pointing out that this is "minimal
    risk as stealing cookies from users which aren't logged in is quite
    simply futile" !!!

    -- 
    Paul Johnston
    Internet Security Specialist
    Westpoint Limited
    Albion Wharf, 19 Albion Street,
    Manchester, M1 5LN
    England
    Tel: +44 (0)161 237 1028
    Fax: +44 (0)161 237 1031
    email: paul@westpoint.ltd.uk
    web: www.westpoint.ltd.uk
    

  • Next message: Kurt Seifried: "Re: openbsd 3.4 ps bug"