Pantek Library

Hosting Provided By

CybrHost

High Speed Hosting

Re: XSS question.

From: zeno <bugtraq(at)cgisecurity.net>
Date: Thu Dec 05 2002 - 14:23:36 EST

If the server escapes everything (example <b>hi</b> becomes \<b\>hi\<\\b\>) then you can't xss with the script method. As far as the browser leaving %20 no it won't execute. using + instead of %20 also will not work. If you can manage to get the xss hole between a <script>

example

<script>
$variable-vuln-to-xss
</script>

then it would be possible. Obviously script isn't the only method to call javascript. When you encode the entire string does it leave it or attempt any type of translation back?

(aka does it simply not translate %20 or does it do this to every character?)

zeno@cgisecurity.com

>
> Hey I am trying to figure out a way to exploit a webserver that is
Received on Thu Dec 5 14:46:15 2002

This message: [ Message body ]
Next message: dullien(at)gmx.de: "Re: RES: IIS Vulnerability Content-Type overflow [DH-7XC4RA3]"
Previous message: Seymour, Keith: "RE: TOTAL WIRELESS SECURITY"
In reply to VAM: "XSS question."
Reply: VAM: "Re: XSS question."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:37 EDT

Contact Us Legal Notices Order Services Online
Pantek Home Privacy Policy IT news Site Map Pantek Library