|
|
 |
| New User, Welcome! Login |
Re: 5 char XSS?
| From: |
"Serg B" <sergeslists gmail com> |
| To: |
"Kristian Erik Hermansen" <kristian hermansen gmail com> |
| Cc: |
vuln-dev securityfocus com |
| Subject: |
Re: 5 char XSS? |
| Date: |
Sat - Apr 26, 2008 07:47 AM |
Am I the only one who sees the irony of an XSS related email/question
and example URLs to click? Heh.
Serg
On Thu, Apr 24, 2008 at 9:36 AM, Kristian Erik Hermansen
<kristian.hermansen@gmail.com> wrote:
> Just been noticing all the talk about Obama and Clinton sites and how
> the media keeps making a big deal out of all these XSS vulns, heh.
> However, I have a rather technical question about what, if anything,
> you can do when you have such a small buffer to exploit XSS? Check
> out this one I found and is not listed by xssed.com for
> hillaryclinton.com. You only get 5 chars to inject. So, are there
> any tricks that could possibly be used to expand the limitation via
> perhaps some unicode kung-fu here? Dunno, but thought it might be
> insteresting bring up because this is a common scenario in zip code
> search fields. The fix for Clinton is as simple as whitelisting the
> input field set to [0-9]...
>
> http://www.hillaryclinton.com/actioncenter/event/?mt=0&d=250&z=%22%3EXSS&s=z&EventSearchAndResults%3A_ctl0.x=0&EventSearchAndResults%3A_ctl0.y=0
>
> Regards,
> --
> Kristian Erik Hermansen
> --
> "Clever ones don't want the future told. They make it."
>
|
|
|
Copyright © 1995-2012 LinuxRocket.net. All rights reserved.
Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!
