[WEB SECURITY] XSS Question
sjensen1207 at hotmail.com
Thu Jun 23 12:22:14 EDT 2011
It helps to know where the alert is being injected and executed within the page. However, yes, anytime you are able to inject arbitrary script and have it executed it is a doorway for an attacker to perform more advanced attacks. It's just a matter of understanding the attack vector and some trial and error.
Date: Thu, 23 Jun 2011 09:15:53 -0700
From: druryjason at yahoo.com
To: websecurity at lists.webappsec.org
Subject: [WEB SECURITY] XSS Question
During a recent web pentest I found an input vulnerable to XSS. The developers have come back to me saying they resolved the issue, but upon retesting I found it still vulnerable to the following string: \";alert('XSS');//
Just for my own education, can anything malicious be done with such a string or is the extent of the damage a popup box (which is what I currently get).
The Web Security Mailing List
WebSecurity RSS Feed
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
websecurity at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity