lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAMZdzBc8RSbR+xg70QE=ZYZnu6FsyxFg2TprGT59UgKstVB6nQ@mail.gmail.com> Date: Sat, 29 Nov 2014 06:37:43 +0000 From: James Hooker <seidrhrafn@...glemail.com> To: A Z <kryptos.gnostikos@...il.com> Cc: fulldisclosure@...lists.org Subject: Re: [FD] XSS (in 20 chars) in Microsoft IIS 7.5 error message You could skip the schema on any includes, and just use '//'. That will then use the schema provided in the original URL. That will save you 4 characters at least. You can also skip most quotes in tags - that will save you a few more characters. Link shortening services might also be of use, however one that generates links short enough might be hard to come by - more likely, you'll need a 3 character domain, with a 2 character extension (such as UK, or IN). You might be able a squeeze a script tag into that saved space.. *might* Hello everyone, I found some weird HTML code injection in an IIS error message. IIS spits out some part of the user input that generated the error message, but will only display 20 characters at most. My question is: is it possible to actually exploit an XSS with this ? Here is an example: HTTP Request: mypage?search=%3cb%20onclick%3dalert(1)>%3e HTTP Response (real): <p>An error has occured.</p> <p>Exception HttpRequestValidationException occurred while attempting <b>mypage</b></p> <p>Exception message is: <b>A potentially dangerous Request.QueryString value was detected from the client (search="<b onclick=alert(1)>...").</b></p> <p>Stack trace:</p> <pre> Server stack trace: [..] My payload was: <b onclick=alert(1)>> and it works (after clicking). However, can this actually be exploited in real life ? I tried stuff in 20 characters like: <embed src=http://x> or <img src=http://x/z> but no luck. Has anyone ever tried this before ? Thanks, P.S. This might be a silly question with an obvious answer. If so, I'd be grateful to have some extra information (links, docs etc.). _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists