Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS - URL In Source Of Page
Posted by: dv8
Date: January 30, 2012 03:32AM

Hi,

Need assistance in validating a vulnerability. When executing a specific URL:
https://x.x.x.x/b/l.e?null=http://hXvpfwkV.example.com/

The page is returned and I can find "http://hXvpfwkV.example.com/" in the source of the page...here is the source:

<INPUT id="rt" name="rt" type="hidden" value="null=http://hXvpfwkV.example.com/">

I am trying to understand how this could be a vulnerability and how would one exploit it? What are the limitations?

Any assistance would be appreciated.

Regards
A

Options: ReplyQuote
Re: XSS - URL In Source Of Page
Posted by: PaPPy
Date: January 30, 2012 05:25AM

have you tried any of these?
https://x.x.x.x/b/l.e?null=http://hXvpfwkV.example.com/?test=">test
https://x.x.x.x/b/l.e?null=http://hXvpfwkV.example.com/">test
https://x.x.x.x/b/l.e?null=http://hXvpfwkV.example.com/#">test

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: XSS - URL In Source Of Page
Posted by: dv8
Date: January 31, 2012 06:11AM

Tried that, does not return anything but the injected code in the source of the page.

Thanks for the assistance.

Will some type of RFI attack possibly work?

Options: ReplyQuote
Re: XSS - URL In Source Of Page
Posted by: Anonymous User
Date: January 31, 2012 09:15AM

What do you mean it returns the injected code?

Does it return the injected code without sanitization?

Can you provide an example of the output when using one of PaPPy's strings?

Also, keep in mind that the input type is hidden, so you will need to use other methods of XSS if you aren't able to break out of the tag.

Options: ReplyQuote


Sorry, only registered users may post in this forum.