In the course of hunting down cross-site scripting, one is bound to
find what I have loosely referred to as "unusable" XSS (bad name).
As most are familiar, XSS is very browser dependent.
Specifically in this case, your browser is likely not interpreting the
HTML on a 302
response code. Why would it need to anyway. So, as much as this IS an
XSS issue,
it poses no risk to the browser you are using. Perhaps another browser
would be.
The standard fix could be suggested just the same however, just in case.
Another "unusable" example would be HTML returning in unused
response headers.
Hope this helps.
On Monday, September 8, 2003, at 08:32 AM, Stephen de Vries wrote:
>
> Hi all,
>
> I'm looking at an application that seems to be vulnerable to CSS
> attack,
> however, the browser keeps following the redirect before running the
> script. The request:
>
> GET /includes?"></a><script>alert('hello')</script> HTTP/1.1
>
> Results in the following response:
>
> HTTP/1.1 302 Object Moved
> Location: https://somwhereelse.com
> Server: Microsoft-IIS/4.0
> Content-Type: text/html
> Content-Length: 123
>
> <head><title>Document Moved</title></head>
> <body><h1>Object Moved</h1>This document may be found <a
> HREF="https://somewhereelse.com/includes/?"></
> a><script>alert('hello')</script>">here</a>
>
> The CSS injection looks as though it should work, if the browser just
> displayed that page, but instead it acts on the redirect immediately
> before displaying the page. This happens in both Mozilla 1.4 and IE 6.
> Do you think this represents a security risk ? Do older browsers
> behave
> in the same way ? Is it possible to turn this behaviour off ? Does
> cologne make the man ?
>
>
> cheers,
>
> Stephen
>
>
Jeremiah Grossman
Chief Executive Officer
WhiteHat Security, Inc.
Tel: 408.492.1817
===========================================================
This message and any files transmitted with it, may
contain confidential and privileged information. This
message is intended solely for the use of the individual
or entity to whom it is addressed. If the message has
been sent to you in error, please reply to inform the
sender of the error and then delete this message. You
are notified that reliance on, disclosure of,
distribution or copying of this message is prohibited.
WhiteHat Security, Inc.
===========================================================
find what I have loosely referred to as "unusable" XSS (bad name).
As most are familiar, XSS is very browser dependent.
Specifically in this case, your browser is likely not interpreting the
HTML on a 302
response code. Why would it need to anyway. So, as much as this IS an
XSS issue,
it poses no risk to the browser you are using. Perhaps another browser
would be.
The standard fix could be suggested just the same however, just in case.
Another "unusable" example would be HTML returning in unused
response headers.
Hope this helps.
On Monday, September 8, 2003, at 08:32 AM, Stephen de Vries wrote:
>
> Hi all,
>
> I'm looking at an application that seems to be vulnerable to CSS
> attack,
> however, the browser keeps following the redirect before running the
> script. The request:
>
> GET /includes?"></a><script>alert('hello')</script> HTTP/1.1
>
> Results in the following response:
>
> HTTP/1.1 302 Object Moved
> Location: https://somwhereelse.com
> Server: Microsoft-IIS/4.0
> Content-Type: text/html
> Content-Length: 123
>
> <head><title>Document Moved</title></head>
> <body><h1>Object Moved</h1>This document may be found <a
> HREF="https://somewhereelse.com/includes/?"></
> a><script>alert('hello')</script>">here</a>
>
> The CSS injection looks as though it should work, if the browser just
> displayed that page, but instead it acts on the redirect immediately
> before displaying the page. This happens in both Mozilla 1.4 and IE 6.
> Do you think this represents a security risk ? Do older browsers
> behave
> in the same way ? Is it possible to turn this behaviour off ? Does
> cologne make the man ?
>
>
> cheers,
>
> Stephen
>
>
Jeremiah Grossman
Chief Executive Officer
WhiteHat Security, Inc.
Tel: 408.492.1817
===========================================================
This message and any files transmitted with it, may
contain confidential and privileged information. This
message is intended solely for the use of the individual
or entity to whom it is addressed. If the message has
been sent to you in error, please reply to inform the
sender of the error and then delete this message. You
are notified that reliance on, disclosure of,
distribution or copying of this message is prohibited.
WhiteHat Security, Inc.
===========================================================
[ reply ]