This is not related to XSS but to input validation. It looks like it
doesn't know what to do with the %27 which is a ' mark. Since its a
username field and it doesn't like the ' mark you should look more at
sql injection and the logic processing of the application.
On Sat, May 3, 2008 at 1:02 AM, arvind doraiswamy
<arvind.doraiswamy_at_gmail.com> wrote:
> You want to elaborate a bit more on this? My feel is that the fact
> that it gave you a session error back meant that you were already
> logged in to the application. Then you intrcepted or somehow did the
> XSS bit upon which the app detected you had messed around with the
> variables and threw you out. You then killed Firefox which should have
> destroyed the session as well but for some reason did not. Most
> probably because there is some kind of "remember me " feature in the
> application which is storing session state somewhere(maybe a cookie??)
> or the page what you see is cached and there's no real connection
> happening to the server when you go to that page again. This sounds
> possible as well because a "logged in user" page if it has static
> content might not change and is cached. That is a problem but its not
> an XSS problem.
>
> If I've misunderstood please post back.
>
> Cheers
> Arvind
>
> On Thu, May 1, 2008 at 7:59 AM, <guinness.stout_at_gmail.com> wrote:
> > I was hoping someone could shed some light on this odd XSS
> >
> > vulnerability I uncovered while doing a pentest for a client. The
> >
> > site is a customer portal and when the below XSS is executed nothing
> >
> > happens. Basically gives a session error back, nothing interesting
> >
> > there. But when you kill -9 or End Process on FireFox then reopen
> >
> > with "Restore Session" the site comes back up to the XSS but dumps
> >
> > logged in users information.
> >
> >
> > I cannot replicate this in other browsers nor with Paros, webscarab, SPIKE etc.
> >
> >
> > https://host/portal/j_acegi_security_check?j_username=%27%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&j_password=d&login=Login
> >
> >
> > -Chris
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > ------------------------------------------------------------------------
> >
> >
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
Received on May 06 2008
Intro
