Re: Can you exploit this XSS?
From: Paul Johnston (paul_at_westpoint.ltd.uk)
Date: 11/20/03
- Previous message: Sverre H. Huseby: "Re: Can you exploit this XSS?"
- In reply to: dd: "Re: Can you exploit this XSS?"
- Next in thread: Dawes, Rogan (ZA - Johannesburg): "RE: Can you exploit this XSS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 Nov 2003 10:00:08 +0000 To: dd <dd@ghettohackers.net>
Hi,
> Given you description, this is not normally exploitable. Depending on
> the browser it may be possible to trick some browsers into thinking
> your html is broken by injecting line feeds and starting up new tags.
Thanks for the info. I did some tests, and it turns out latest IE and
Netscape execute the javascript in this example (note the missing ")
<input type="hidden" name="targeturl"
value="xyz><script>alert('hello')</script>
So, this would be relatively easy to exploit, but the web app sensibly
uses the strict dtd:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
And so it really is not exploitable in this situation.
Paul
P.S. Thanks to Mike Brownbill for pointing out that this is "minimal
risk as stealing cookies from users which aren't logged in is quite
simply futile" !!!
-- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul@westpoint.ltd.uk web: www.westpoint.ltd.uk
- Previous message: Sverre H. Huseby: "Re: Can you exploit this XSS?"
- In reply to: dd: "Re: Can you exploit this XSS?"
- Next in thread: Dawes, Rogan (ZA - Johannesburg): "RE: Can you exploit this XSS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
