An other test page is located here :
http://nicob.net/cgi-bin/content-type.cgi
> The security problem is that servers serving HTML may be taking
> measures to prevent XSS attacks; i.e. they convert < to <. These
> servers, when serving plain text, may not do this (because it is
> unnecessary and undesirable)
Some Oracle webapps are doing exactly that : sending content with a
text/html content-type and not bothering to escape HTML or JavaScript
tags.
--
Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
ngregoire (at) exaprobe (dot) com [email concealed] ------[ ExaProbe ]------ http://www.exaprobe.com/
PGP KeyID:CA61B44F FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F
> https://tigger.uic.edu/htbin/perlwrap-auth/jrockw2/safari_test.pl
An other test page is located here :
http://nicob.net/cgi-bin/content-type.cgi
> The security problem is that servers serving HTML may be taking
> measures to prevent XSS attacks; i.e. they convert < to <. These
> servers, when serving plain text, may not do this (because it is
> unnecessary and undesirable)
Some Oracle webapps are doing exactly that : sending content with a
text/html content-type and not bothering to escape HTML or JavaScript
tags.
--
Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
ngregoire (at) exaprobe (dot) com [email concealed] ------[ ExaProbe ]------ http://www.exaprobe.com/
PGP KeyID:CA61B44F FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F
[ reply ]