Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-disclosure] [WEB SECURITY] Useful technique when performing XSS
From: Amit Klein (aksecuritygmail.com)
Date: Wed Feb 07 2007 - 15:07:05 CST
pdp (architect) wrote:
> :) This is not about who did it first.
Agreed. But it would be nice to receive the credit ;-)
> BTW, your example is broken.
> location.search does not include the fragment identifier.
Guilty as charged. I remember working directly with document.location
(which includes the hostname and path) when I investigated the issue,
then when I wrote my text I decided that a more elegant way would be
with the ".search" property, but I failed to verify that it actually
works. Thanks for pointing this out, and here's the formal errata:
the example should be:
in the offset here]...))</script>#...JS payload here...
Thanks to "pdp (architect)" for pointing this out.
> On 2/7/07, Amit Klein <aksecuritygmail.com> wrote:
>> pdp (architect) wrote:
>> > http://www.gnucitizen.org/blog/playing-in-large
>> > Basically this article is about how to squeeze more data into size
>> > restricted, unsanitized field. This technique can also be used to hide
>> > attackers activities.
>> It seems that you've stumbled upon something I already disclosed:
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/