Apparently, the folks at Rediff have performed some very poor input validation and have probably only filtered the "<" and ">".
Wednesday, May 27, 2009
Rediff XSS, the redux
It seems like my praise for Rediff was too quick. I had not tested out the Rediff search site exhaustively. This was brought to my attention by an OWASP Delhi member. Apparently, our friends at Rediff have not "fixed" the XSS Vulnerability in the search area. My attempts at performing a rudimentary XSS were thwarted, but I hadnt explored the possibility of encoding my payload using Javascript escape(), so this time, I tried and came up with this:
Apparently, the folks at Rediff have performed some very poor input validation and have probably only filtered the "<" and ">".
Apparently, the folks at Rediff have performed some very poor input validation and have probably only filtered the "<" and ">".
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment