Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
What the
Posted by: Matt Presson
Date: June 24, 2010 01:44PM

Can someone please tell me why this crap works? The parens are encoded and everything!

By the way, I have verified that this works in Chrome, the latest FF, and IE 8.

<HTML>
  <HEAD>
  </HEAD>
  <body onFocus="alert&#40;document.forms[0].pleaseno.value&#41;" >

  <form>
  <input type="hidden" value="oh crap" name="pleaseno">
  </form>
   </body>
</html>



Edited 1 time(s). Last edit at 06/24/2010 01:48PM by Matt Presson.

Options: ReplyQuote
Re: What the
Posted by: Gareth Heyes
Date: June 24, 2010 04:19PM

LOL c'mon Matt remember attributes accept entities

<body onload="x='&apos;,alert(1),&apos;'">

Double encoded expressions? :P

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: What the
Posted by: Matt Presson
Date: June 24, 2010 04:42PM

Well that's just stupid, but now that I remember ... I guess that's why the OWASP ESAPI has different codecs implemented for HTML, JavaScript, AND HTMLAttribute contexts.

Thanks Gareth. I knew you would know.

Options: ReplyQuote


Sorry, only registered users may post in this forum.