Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
web.tickle weirdness
Posted by: Kyran
Date: September 22, 2006 04:05PM

After following rsnakes post, I immediately poked around http://web.tickle.com.

I found this rather interesting, what's exactly going on here?

http://web.tickle.com/search/index.jsp?query=%22%27%3Cscript%3Ealert+%28%22XSS%22%29%3C%2Fscript%3E%2F%22%5C%22%27%2F&sel=0&searchbutton=Tickle+Search

"'<script>alert ("XSS")</script>/"\"'/

That's the exact input. I noticed the filters handled ' and / with a prefixing \.

- Kyran

Options: ReplyQuote
Re: web.tickle weirdness
Posted by: rsnake
Date: September 22, 2006 04:25PM

You've stumbled upon their own search engine no properly sanitizing results in their own database. It's not your injection it's them returning data that looks similar to what you've requested which happens to break their own JavaScript. Cute!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: web.tickle weirdness
Posted by: kirke
Date: September 22, 2006 05:44PM

hehe, that's a nice example of persistent XSS, and a very good one to show that input validation is not enough (except you define any foreign data, including those of your own DB as input), it needs to be output data validation too

Options: ReplyQuote
Re: web.tickle weirdness
Posted by: rsnake
Date: September 23, 2006 07:36PM

Nitesh posted about that on his blog actually: http://dhanjani.com/archives/000102.html

Mirrored on O'Reilly: http://www.oreillynet.com/onlamp/blog/2005/10/repeat_after_me_lack_of__outpu.html

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.