[WEB SECURITY] XSS Question

steve jensen sjensen1207 at hotmail.com
Thu Jun 23 12:22:14 EDT 2011


It helps to know where the alert is being injected and executed within the page. However, yes, anytime you are able to inject arbitrary script and have it executed it is a doorway for an attacker to perform more advanced attacks. It's just a matter of understanding the attack vector and some trial and error.

Date: Thu, 23 Jun 2011 09:15:53 -0700
From: druryjason at yahoo.com
To: websecurity at lists.webappsec.org
Subject: [WEB SECURITY] XSS Question

Hello,
During a recent web pentest I found an input vulnerable to XSS. The developers have come back to me saying they resolved the issue, but upon retesting I found it still vulnerable to the following string: \";alert('XSS');//
Just for my own education, can anything malicious be done with such a string or is the extent of the damage a popup box (which is what I currently get).
Thank you,Jason
_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110623/bae57ec0/attachment-0003.html>


More information about the websecurity mailing list