[WEB SECURITY] XSS filter Bypass
john.wilander at owasp.org
Tue May 29 11:59:03 EDT 2012
Have you tried <%73cript and <%53cript, i.e. URL encoding of 's' and 'S'?
Tried various encodings of '<' so you don't trigger the filter at all?
My music http://www.johnwilander.com
CV or Résumé http://johnwilander.se
24 maj 2012 kl. 12:16 skrev Appsec User <pentestguy.cs at gmail.com>:
> I am probing for XSS in an application. Application has a filter which
> triggers if I put anything after less than sign '<' except space, %
> and >. So application accepts < character but only allows space, % and
>> after it. So e.g < script(note space in b/w) is allowed but <script
> will be rejected(no space). I have tested for various encoding also
> <%00script is allowed but it puts space between < and script and
> context. Any suggestions how can I by-pass this filter.
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
More information about the websecurity