Am 16.02.2012 23:50, schrieb Andres Riancho:
> Achim,
>> escaped or removed angle braces:
>> continue with tag or attribute injection
>
> If and only if we're not in a TEXT (<a>TEXT</a>) section, because
> we're never going to be able to execute JS if we don't create some
> kind of new tag and are in that context. Correct?
not correct, see below
>> removed or mangled fooled tag:
>> continue attribute injection and non-HTML injections like CSS or JS
>
> Something similar to the above applies but I'm too tired to think ;)
>
If you're in a TEXT section where the enclosing tag is *not*
script, style, svg, embed, object, <!-- , or CDATA, (some more?)
you have no real XSS, just some kind of content spoofing.
I'd not qualify this as a security problem, it's worth reporting as "QA"
problem.
However, in modern web pages such TEXT may be used as data within some
javascript code, then it's important what kind of TEXT we have and how
it will be used. Think about doing something like:
eval(document.getElementByID('stupid').innerTEXT);
(are there really developers doing such stupid things?)
And what about data returned in JSON context? It's neither HTML nor
enclosed in tags. It even may not be simply identified as javascript, i.e:
{'you got it'}
or DWR data like (separated by newlines):
key=value
otherdata
You see, TEXT may come in various flaviours. You (the tool) need to know
in which context such TEXT will be used later on.
Sorry for telling complicated stories ;-)
Achim
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
