Re: Can you exploit this XSS?

From: Paul Johnston (paul_at_westpoint.ltd.uk)
Date: 11/20/03

  • Next message: Kurt Seifried: "Re: openbsd 3.4 ps bug"
    Date: Thu, 20 Nov 2003 10:00:08 +0000
    To: dd <dd@ghettohackers.net>
    
    

    Hi,

    > Given you description, this is not normally exploitable. Depending on
    > the browser it may be possible to trick some browsers into thinking
    > your html is broken by injecting line feeds and starting up new tags.

    Thanks for the info. I did some tests, and it turns out latest IE and
    Netscape execute the javascript in this example (note the missing ")

      <input type="hidden" name="targeturl"
    value="xyz><script>alert('hello')</script>

    So, this would be relatively easy to exploit, but the web app sensibly
    uses the strict dtd:

      <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

    And so it really is not exploitable in this situation.

    Paul

    P.S. Thanks to Mike Brownbill for pointing out that this is "minimal
    risk as stealing cookies from users which aren't logged in is quite
    simply futile" !!!

    -- 
    Paul Johnston
    Internet Security Specialist
    Westpoint Limited
    Albion Wharf, 19 Albion Street,
    Manchester, M1 5LN
    England
    Tel: +44 (0)161 237 1028
    Fax: +44 (0)161 237 1031
    email: paul@westpoint.ltd.uk
    web: www.westpoint.ltd.uk
    

  • Next message: Kurt Seifried: "Re: openbsd 3.4 ps bug"

    Relevant Pages

    • Re: OT: Need HTML Help
      ... browser wars both Microsoft and Netscape introduced non-compliant ... all non-compliant tags were dropped in strict HTML ...
      (comp.os.vms)
    • Re: HTML doc save dialog
      ... After getting the string from database do not set the string to ... > and end html tags. ... In the document complete event of browser, ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: Problem forcing pages not to cache.
      ... Any browser that refuses to honor any of them won't listen to you anyway as regards to caching. ... It wouldn't hurt, however, to try to do cache control at the level where it logically belongs, namely HTTP level, in HTTP headers. ... this could be effective against some proxy caches (which won't even look at any tags). ...
      (alt.html)
    • Re: server side includes
      ... The code below contains many empty HTML tags, ... > the browser! ... > tags, do the cells in the pages that I want to insert navbar.htm ... >>>I did put the navigation bar in using FP's insert web component. ...
      (microsoft.public.frontpage.programming)
    • Re: Browser behavior with unknown tags or attributes?
      ... I am working on having some proprietary tags and I need to know what ... If you create your own tags and elements, what do you expect a widespread, specification-compliant browser to do? ... How is it to recognize and understand your proprietary tags that are not defined in the specifications. ...
      (comp.infosystems.www.authoring.html)