50+ Ways Good HTML Can Go Bad

Via Brad Neuberg: RSnake’s XSS (Cross Site Scripting) Cheatsheet: Esp: for filter evasion.

Limitations on cross site scripting (XSS hereafter) have been troubling me as I try to write enhancements to our library catalog, but the reasons for the prohibition are sound. Without them I could snort your browser cookies (RSnake lists: “cookie/credential stealing/replay/session riding” among the threats, but a well-planned attack could also fetch resources from internal webservers and deliver them to external data thieves).
It turns out you can insert JavaScript in <img> tags (among many, many others) and obfuscate it with Unicode, hex, and other less-readable encodings or by inserting tab characters (“&#x09;”) or newlines (“&#x0A;”). It would be impossible for me to list every possible attack vector, but RSnake takes a good stab at it.

If you allow users to insert HTML in comments, you should be aware of this….

tags: , , , , , , , , , , , ,

Related:

Posted November 1, 2005 by Casey Bisson
Categories: Technology. Tags: , , , , , , , , , , , , .

4 Comments

  1. Comment by ?????? on February 12, 2007 8:31 am

    اااااااااااااخ بس على الكفرة

  2. Comment by yusuff wasiu adekunl on October 22, 2007 7:32 am

    i whant to become a member

  3. Comment by re4 on October 27, 2007 4:22 pm

    kurcine jedne jebacke i sektovacke

  4. Comment by sajin on November 26, 2007 6:51 am

    love

Comments RSS TrackBack Identifier URI

Leave a comment

 

User contributed tags for this post:

4 pig com (985) - 666 com (972) - WWW 666 COM (752) - www.666.com (318) - Heaven 666 (204) - videos 666 com (172) - WWW 4 PIG COM (128) - haven 666 (118) - heaven 666.com (117) - www.heaven 666.com (114) - heaven 666.org (81) - heaven666 (80) - heaven 666 com (74) - heven 666 (67) - www videos 666 com (60) - www.4 pig.com (55) - www.heaven 666 (51) - www.heaven 666.org (49) - www heaven 666 com (48) - 666 com videos (41) - heawen 666 (40) - 4 pig (39) - videos.666.com (38) - www.heaven.666 (37) - www.heaven.666.com (37) - www.4.pig.com (36) - www.videos.666.com (36) - haeven 666 (36) - www.worldsx.com (36) - 3 pig com (35) - www.4pig.com (35) - heaven.666.com (34) - haven 666.com (33) - 4pig (33) - videos 666.com (33) - WWW 4 PIG (27) - www 4pig com (27) - www.videos 666.com (27) - 666 haven (26) - heaven.666.org (25) - xss (24) - feed the pig com (24) - www.heaven 666. (23) - haven 666 com (22) - 666 movies (19) - www=xxx=666 (19) - www xxx-666-xxx com (17) - www.heaven.666.org (17) - www.heaven666.com (17) - 666 (15) - 666 videos (15) - 4pig com (14) - 666 heven (14) - www.xxx.666. (14) - RSnake (13) - pig com (13) - xxx-666-xxx.com (13) - www.xxx videos.com (13) - 4.pig.com (12) - xxx.666.com (12) - would (11) - http://www google com do/ (11) - www world sx com (11) - www4 pig com (10) - www heaven 666 (10) - video.666.com (10) - heven 666.com (10) - 4pig.com (10) - xxx-666-xxx (10) - www.xxx 666.com (9) - www 4 pig ro (9) - www com 666 (9) - heaven 666 org (9) - www.xxx.666 (9) - www.xxx.videos.com (9) - cheatsheet (8) - 666 heaven (8) - heaven.666 (8) - haven.666 (8) - 666.heaven (8) - haven 666.org (8) - 4pig,com (8) - all (7) - video 666 com (7) - http://www google es/ig?sourceid=navclient&hl=es&am (7) - xxx.666.xxx (7) - www.4.pig (7) - xxx-666.com (7) - www.world sx.com (7) - heaven666.com (7) - scripting (6) - video google insert html (6) -
iPod Linux Tutorial Is Search Rank Group-think?