steve jensen sjensen1207 at hotmail.com
Thu Jun 23 12:22:14 EDT 2011

It helps to know where the alert is being injected and executed within the page. However, yes, anytime you are able to inject arbitrary script and have it executed it is a doorway for an attacker to perform more advanced attacks. It's just a matter of understanding the attack vector and some trial and error.

Date: Thu, 23 Jun 2011 09:15:53 -0700
From: druryjason at yahoo.com
To: websecurity at lists.webappsec.org
Subject: [WEB SECURITY] XSS Question

During a recent web pentest I found an input vulnerable to XSS. The developers have come back to me saying they resolved the issue, but upon retesting I found it still vulnerable to the following string: \";alert('XSS');//
Just for my own education, can anything malicious be done with such a string or is the extent of the damage a popup box (which is what I currently get).
Thank you,Jason
The Web Security Mailing List

WebSecurity RSS Feed

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter

websecurity at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110623/bae57ec0/attachment-0003.html>

More information about the websecurity mailing list