Header
XSS - Not just for girls!
haroon
2007/5/7
Tags: wep-application, xss
Requirements: none

Update:

Ok.. so 31 chars allowed a quick thinking <img src="http://x.y.z.a"> which got the browser out.. option is gone.. limit is 30 chars (we can keep going to make this arb. smaller.. so the solution is not to find the smallest ip/domain u can get ur hands on :>

/mh

You are faced with a web based application that you know is vulnerable to XSS. You have seen the code.. Now once you submit your details, it will be viewed by an admin/other-user

[This QoW is a simple version.. if you can XSS yourself, you win]

All you need to do to claim victory, is to submit your details so that the resultant page re-directs you to a listening netcat.

No cookie-grab needed (maybe we want to steal the guys referer)...

Vulnerable form is here, a copy of the CGI's source is here.

TIP: U can see from the code, that your stuff has to fit into 31 chars...

The answer is available here.

Answer submission is disabled on this post
Blog
Video
Research
QotW
Categories
Old QoWs

Videos RSS Feed
Conditions of use Privacy statement
Top of Page Legal stuff