Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions

Prev | Current Page 101 | Next

Rich Cannings, Himanshu Dwivedi, Zane Lackey, and Alex Stamos

"Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions"

This attack is known
as HTTP response splitting. HTTP response splitting can be used for HTML injection by
injecting strings like this:
%0a%0d%0a%0d
The two new lines/carriage returns separate the HTTP header from the HTTP body,
and the script will be in the HTTP body and executed.
Chapter 2: Cross-Site Scripting 39
USERINPUT2 is placed within a title tag. IE does not allow script tags within title
tags, but if an attacker can inject , then more likely
than not, the attacker can inject this:

This breaks out of the title tag.
USERINPUT3 is placed within a styles tag. One could set USERINPUT3 like so in IE:
black; background:url('javascript:alert(1)');
Then he could use this in Firefox:
1:expression(alert(1))
Equivalently, user input sometimes appears in style parameters as part of other tags,
like this:

JavaScript can be executed in IE if you could set USERINPUT3A to this:
javascript:alert(1)
Or for Visual Basic fans, this can be used:
vbscript:MsgBox(1)
Firefox does not accept background:url() with javascript: protocol handlers.

Pages:
89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113

After the Rain : how the West lost the East (page 332) A History of Indian Philosophy, Volume 1 (page 1082) The Adventures of Tom Sawyer, Part 3. (page 50)

Books for you

Rich Cannings, Himanshu Dwivedi, Zane Lackey, and Alex Stamos

"Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions"