Tag Archives: browser

Advisory: Attack of the Mongolian space evaders! (and other Medieval XSS vectors)

Posted on August 26, 2008 by Chris Weber

Damage: Filter evasion, cross-site scripting Exploit: Bypass XSS filters, IPS/IDS, AV, or WAF’s with specially crafted white_space characters to execute XSS attacks. Root Cause: Interpreting syntax replacements Product Version: Opera 9.51 and earlier Or should we call this “Druidic magical … Continue reading →

Posted in Unicode, advisory, browser, cross site scripting | Tagged browser, Unicode, XSS | 8 Comments

Internet Explorer whitespace-as-comment hack to bypass input filters

Posted on January 11, 2007 by Chris Weber

When testing for XSS (cross-site scripting) issues, you often need to bypass filters and perform different sorts of encodings and other trickery. To be a good tester you also need to know how the browsers you’re concerned with behave differently. … Continue reading →

Posted in Web, browser, testing | Tagged browser, XSS | Leave a comment

CSS 2.1 specifications and references

Posted on October 19, 2006 by Chris Weber

Cascading style sheets have been a good vector for cross site scripting (XSS) bugs lately. Especially as social networking sites move to allowing users more control over their profiles and UI’s. Keeping this in mind, I need to study up … Continue reading →

Posted in cascading style sheets | Tagged browser, cascading style sheets | Leave a comment

Tag Archives: browser

Advisory: Attack of the Mongolian space evaders! (and other Medieval XSS vectors)

Internet Explorer whitespace-as-comment hack to bypass input filters

CSS 2.1 specifications and references

Archives

Meta