Thanks Zeno, On Thu, 5 Dec 2002 14:23:36 -0500 (EST), "zeno" <bugtraqat_private> said: > If the server escapes everything (example <b>hi</b> becomes > \<b\>hi\<\\b\>) > then you can't xss with the script method. This server (Webster web server) does not escapes like you mention above, but converts all '/'s into '\'.. so </script> becomes useless. > As far as the browser leaving %20 > no it won't execute. using + instead of %20 also will not work. Right.. > If you > can manage > to get the xss hole between a <script> > > example > > <script> > $variable-vuln-to-xss > </script> > > then it would be possible. In this case, </script> isn't helping.. Mozilla/IE do not seem to honor <\script> in the response. When the same response is changed to </script>, the script does get executed. > Obviously script isn't the only method to call > javascript. I am looking for ways other than <script>...</script> and <img src=javascript:...> to run javascripts. Any ideas on that? > When > you encode the entire string does it leave it or attempt any type of > translation back? > > (aka does it simply not translate %20 or does it do this to every > character?) > All %xx s are left as they are in the response.. so they become pretty much useless.. > > - zenoat_private > Thanks, VAM. > > > > > > Hey I am trying to figure out a way to exploit a webserver that is > > supposedly vulnerable to XSS. The issues are: > > 1. </SCRIPT> gets converted into <\SCRIPT> in the server response.. for > > ScrIPT, etc too.. > > 2. img%20src remains img%20src in the response.. (the server does no > > decoding) > > > > so, I am not able to make IE/others execute the javascript embedded in > > there. Is there any other way/ways of invoking javascript in the HTML > > response from the server.. e.g. any other single-worded HTML tag etc that > > can do something like what <img src=javascript:alert("hello")> does.. ? > > > > Thanks! > > > >
This archive was generated by hypermail 2b30 : Thu Dec 05 2002 - 15:40:54 PST