[INVALID] HELP：a 0-day XSS ？

[江3如此多娇]

http://bbs.kafan.cn/thread-1622631-1-1.html

in the above post，there is a 0-day XSS as they discussed，and NS can not block it，So I post it here for some tips and advices to stop the auto-redirection

[Giorgio Maone]

Thank you for reporting.

I might be wrong, because I can't read Chinese, but looking at the code the author of the post seems to lack basic understanding of what XSS is:

Code: Select all

<embed src="javascript://baidu.com/%0Awindow.location.href="http://www.baidu.com/s?word=Hacked+By+CatCat520"; " autostart="0" type="video/x-ms-wmv" width="260" height="42"></embed>

The "technique" he demonstrates, i.e. loading a javascript: URI through an <embed> element and therefore causing its execution in the context of the embedding page (i.e. not cross-site) cannot qualify as XSS for obvious reason (the script is same-site) and, BTW, it won't either work on pages which are not already whitelisted by NoScript.

Actually, I fail to see any practical difference with

Code: Select all

<iframe src="javascript:alert(document.cookie)"></iframe>

which, again, is not XSS and not practically different than a plain

Code: Select all

<script>alert(document.cookie)</script>

placed in the page.

Again, I might be misunderstanding so any Chinese-speaking security researcher (or the post author himself) is welcome to chime in.

[GµårÐïåñ]

Giorgio, you understood correctly.

[江3如此多娇]

Thank you, Giorgio Maone and GµårÐïåñ, the explaination is very helpful to me