Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Test the forums XSS security thread <>'"&.()javascript:vbscript:
Posted by: Lockdown
Date: August 23, 2006 07:31PM

<>'"&.()javascript:vbscript:

h0mfg. Teh 1337, yes? << two spaces are put into the <a href=""> dat not good =P

Test
[Test2]
kwhat

Why are quotes and ' not filtered?

Test



Edited 4 time(s). Last edit at 08/23/2006 07:35PM by Lockdown.

Options: ReplyQuote
Re: Test the forums XSS security thread <>'"&.()javascript:vbscript:
Posted by: rsnake
Date: August 24, 2006 10:17AM

I'm sure I don't need to remind you that this is coming dangerously close to violating the very first rule of the forum: http://sla.ckers.org/forum/read.php?1,5

Chill.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Test the forums XSS security thread <>'"&.()javascript:vbscript:
Posted by: WhiteAcid
Date: August 24, 2006 10:20AM

Lockdown, what's wrong with just using the preview functionailty to see how it'll render?

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Test the forums XSS security thread <>'"&.()javascript:vbscript:
Posted by: rsnake
Date: August 24, 2006 01:16PM

I don't think that's really in the "spirit" of the 1st rule... pen testing the site, is not really something I need help with. ;) It's more just that I don't like a lot of spam in my logs that is helping prove nothing because most people run tests that I've already ran anyway or run tests that couldn't possibly work because they aren't aware of the security I've put in place.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Test the forums XSS security thread <>'"&.()javascript:vbscript:
Posted by: Jcrusader
Date: August 25, 2006 04:38AM

This may be out of topic, but may I know some of the security functions that you've implemented? Aside from the usual codes, what other implementations did you use, like what regex's did you use etc. I'm really interested on how to protect my pages better.

Sorry for sounding like a noob, but maybe this will make a great article on ha.ckers.org if there was an accompanying XSS protection "cheat sheet" to go hand in hand with the XSS cheat sheet.

Options: ReplyQuote
Re: Test the forums XSS security thread <>'"&.()javascript:vbscript:
Posted by: rsnake
Date: August 25, 2006 09:23AM

Jcrusader, the protections I put on this site should not mirror anything anyone else does ever. Many of the things I do are at a certain level of obfuscation, for instance. The reason being I have found that obfuscation actually works as a security model (even if it's known that there _is_ obfuscation without actually letting people know what it is, of course). It's one of the few last bastions of truely interesting and largely unresearched (at least publically) security methodologies in my mind actually - obfuscation as a security model.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.