XSS question.

From: VAM (thebigbadwolfat_private)
Date: Wed Dec 04 2002 - 14:32:32 PST

Next message: Seymour, Keith: "RE: TOTAL WIRELESS SECURITY"

Previous message: Romulo M. Cholewa: "RES: IIS Vulnerability Content-Type overflow [DH-7XC4RA3]"
Next in thread: zeno: "Re: XSS question."
Reply: zeno: "Re: XSS question."
Reply: VAM: "Re: XSS question."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey I am trying to figure out a way to exploit a webserver that is
supposedly vulnerable to XSS. The issues are:
1. </SCRIPT> gets converted into <\SCRIPT> in the server response.. for
ScrIPT, etc too..
2. img%20src remains img%20src in the response.. (the server does no
decoding)

so, I am not able to make IE/others execute the javascript embedded in
there. Is there any other way/ways of invoking javascript in the HTML
response from the server.. e.g. any other single-worded HTML tag etc that
can do something like what <img src=javascript:alert("hello")> does.. ?

Thanks!

Next message: Seymour, Keith: "RE: TOTAL WIRELESS SECURITY"
Previous message: Romulo M. Cholewa: "RES: IIS Vulnerability Content-Type overflow [DH-7XC4RA3]"
Next in thread: zeno: "Re: XSS question."
Reply: zeno: "Re: XSS question."
Reply: VAM: "Re: XSS question."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 05 2002 - 11:06:38 PST