Yes, you make a good point :-). However, the purpose of the email was
that we can't inject anything useful in 5 chars, so the XSS I posted
merely corrupts the page a little, and does not execute any scripts on
you. Honest! Go click the links and see ... Hehe
On 4/26/08, Serg B <sergeslists_at_gmail.com> wrote:
> Am I the only one who sees the irony of an XSS related email/question
> and example URLs to click? Heh.
>
> Serg
>
>
> On Thu, Apr 24, 2008 at 9:36 AM, Kristian Erik Hermansen
> <kristian.hermansen_at_gmail.com> wrote:
> > Just been noticing all the talk about Obama and Clinton sites and how
> > the media keeps making a big deal out of all these XSS vulns, heh.
> > However, I have a rather technical question about what, if anything,
> > you can do when you have such a small buffer to exploit XSS? Check
> > out this one I found and is not listed by xssed.com for
> > hillaryclinton.com. You only get 5 chars to inject. So, are there
> > any tricks that could possibly be used to expand the limitation via
> > perhaps some unicode kung-fu here? Dunno, but thought it might be
> > insteresting bring up because this is a common scenario in zip code
> > search fields. The fix for Clinton is as simple as whitelisting the
> > input field set to [0-9]...
> >
> >
> http://www.hillaryclinton.com/actioncenter/event/?mt=0&d=250&z=%22%3EXSS&s=z&EventSearchAndResults%3A_ctl0.x=0&EventSearchAndResults%3A_ctl0.y=0
> >
> > Regards,
> > --
> > Kristian Erik Hermansen
> > --
> > "Clever ones don't want the future told. They make it."
> >
>
--
Sent from Gmail for mobile | mobile.google.com
Kristian Erik Hermansen
--
"Clever ones don't want the future told. They make it."
Received on Apr 28 2008
Intro
