Paid Advertising is
ha.ckers sla.cking
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
What the
Posted by: Matt Presson
Date: June 24, 2010 01:44PM

Can someone please tell me why this crap works? The parens are encoded and everything!

By the way, I have verified that this works in Chrome, the latest FF, and IE 8.

  <body onFocus="alert&#40;document.forms[0].pleaseno.value&#41;" >

  <input type="hidden" value="oh crap" name="pleaseno">

Edited 1 time(s). Last edit at 06/24/2010 01:48PM by Matt Presson.

Options: ReplyQuote
Re: What the
Posted by: Gareth Heyes
Date: June 24, 2010 04:19PM

LOL c'mon Matt remember attributes accept entities

<body onload="x='&apos;,alert(1),&apos;'">

Double encoded expressions? :P

"People who say it cannot be done should not interrupt those who are doing it.";
labs : []
blog : []
Hackvertor : []

Options: ReplyQuote
Re: What the
Posted by: Matt Presson
Date: June 24, 2010 04:42PM

Well that's just stupid, but now that I remember ... I guess that's why the OWASP ESAPI has different codecs implemented for HTML, JavaScript, AND HTMLAttribute contexts.

Thanks Gareth. I knew you would know.

Options: ReplyQuote

Sorry, only registered users may post in this forum.