Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: XSS Testing

from [RSnake] Network Security [Permanent Link]
Subject: Re: XSS Testing
Date: Sat, 18 Sep 2004 17:03:31 -0700 (PDT) 

        You already mentioned other types of encoding, but there are quite a
few, so I finally wrote a cheatsheat to help with this stuff.

http://www.shocking.com/~rsnake/xss.html

        There is Unicode with and without semicolons, with and without padding
of zeros, same with hex, and charachter encoding...

On Fri, 17 Sep 2004, PenTest Guy wrote:

| Date: Fri, 17 Sep 2004 15:26:11 +0000
| From: PenTest Guy <pentestguy@hotmail.com>
| To: webappsec@securityfocus.com
| Subject: XSS Testing
|
| I'm testing a web application.  Previously, I had found XSS using a standard
| variant: <scr1pt>al3rt('XSS')</scr1pt> (note used 3 for e and 1 for i as to
| not cause any problems).  I also URL encoded this same variant and it worked
| as well.  So I told them how to fix it (filtering out malicious characters,
| encoding, etc. on the server side) and it seems fixed now.  I was just
| curious if there is any other way to manipulate the same variant, such as
| other encoding schemes, that might bypass the protections I recommended.
|
| Thanks.
|
| _________________________________________________________________
| Don’t just search. Find. Check out the new MSN Search!
| http://search.msn.click-url.com/go/onm00200636ave/direct/01/
|

-R

The information in this email is confidential and may be legally
privileged.  It is intended solely for the addressee.  Access to
this email by anyone else is unauthorized.  If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is
expressly prohibited and may be unlawful.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: RSA vs. Versigin. How do I choose?, cam
Next by Date:  online bill payment using OFX or similar?, Ido Rosen
Previous by Thread:  RE: XSS Testing, Mike Andrews
Next by Thread:  Re: XSS Testing, Devdas Bhagat
Indexes:  [Date] [Thread] [Top] [All Lists]