[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: XSS question.

To: "zeno" <bugtraq@xxxxxxxxxxxxxxx>
Subject: Re: XSS question.
From: "VAM" <thebigbadwolf@xxxxxxxxxxx>
Date: Thu, 05 Dec 2002 13:17:42 -0800
Cc: vuln-dev@xxxxxxxxxxxxxxxxx
Delivered-to: mailing list vuln-dev@xxxxxxxxxxxxxxxxx
Delivered-to: moderator for vuln-dev@xxxxxxxxxxxxxxxxx
Delivery-date: Fri, 06 Dec 2002 00:39:49 +0100
Envelope-to: vuln-dev@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
List-help: <mailto:vuln-dev-help@securityfocus.com>
List-id: <vuln-dev.list-id.securityfocus.com>
List-post: <mailto:vuln-dev@securityfocus.com>
List-subscribe: <mailto:vuln-dev-subscribe@securityfocus.com>
List-unsubscribe: <mailto:vuln-dev-unsubscribe@securityfocus.com>
Mailing-list: contact vuln-dev-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Thanks Zeno,

On Thu, 5 Dec 2002 14:23:36 -0500 (EST), "zeno" <bugtraq@xxxxxxxxxxxxxxx>
said:
> If the server escapes everything (example <b>hi</b> becomes
> \<b\>hi\<\\b\>) 
> then you can't xss with the script method.

This server (Webster web server) does not escapes like you mention above,
but converts all '/'s into '\'.. so </script> becomes useless.

> As far as the browser leaving %20
> no it won't execute. using + instead of %20 also will not work.

Right.. 

> If you
> can manage
> to get the xss hole between a <script>  
> 
> example
> 
> <script>
> $variable-vuln-to-xss
> </script> 
> 
> then it would be possible.

In this case, </script> isn't helping.. Mozilla/IE do not seem to honor
<\script> in the response. When the same response is changed to
</script>, the script does get executed.

> Obviously script isn't the only method to call
> javascript.

I am looking for ways other than <script>...</script> and <img
src=javascript:...> to run javascripts. Any ideas on that?

> When
> you encode the entire string does it leave it or attempt any type of
> translation back?
> 
> (aka does it simply not translate %20 or does it do this to every
> character?)
> 

All %xx s are left as they are in the response.. so they become pretty
much useless..

> 
> - zeno@xxxxxxxxxxxxxxx
> 

Thanks,
VAM.

> 
> 
> > 
> > Hey I am trying to figure out a way to exploit a webserver that is
> > supposedly vulnerable to XSS. The issues are:
> > 1. </SCRIPT> gets converted into <\SCRIPT> in the server response.. for
> > ScrIPT, etc too..
> > 2. img%20src remains img%20src in the response.. (the server does no
> > decoding)
> > 
> > so, I am not able to make IE/others execute the javascript embedded in
> > there. Is there any other way/ways of invoking javascript in the HTML
> > response from the server.. e.g. any other single-worded HTML tag etc that
> > can do something like what <img src=javascript:alert("hello")> does.. ?
> > 
> > Thanks!
> > 
> 
>

Follow-Ups:
- Re: XSS question.
  - From: zeno

Prev by Date: Re: RES: IIS Vulnerability Content-Type overflow [DH-7XC4RA3]
Next by Date: Re: XSS question.
Previous by thread: Re: XSS question.
Next by thread: Re: XSS question.
Index(es):
- Date
- Thread