Page 1 of 1
[INVALID] HELP:a 0-day XSS ?
Posted: Tue Sep 03, 2013 8:29 am
by 江3如此多娇
http://bbs.kafan.cn/thread-1622631-1-1.html
in the above post,there is a 0-day XSS as they discussed,and NS can not block it,So I post it here for some tips and advices to stop the auto-redirection
Re: HELP:a 0-day XSS ?
Posted: Tue Sep 03, 2013 7:40 pm
by Giorgio Maone
Thank you for reporting.
I might be wrong, because I can't read Chinese, but looking at the code the author of the post seems to lack basic understanding of what XSS is:
Code: Select all
<embed src="javascript://baidu.com/%0Awindow.location.href="http://www.baidu.com/s?word=Hacked+By+CatCat520"; " autostart="0" type="video/x-ms-wmv" width="260" height="42"></embed>
The "technique" he demonstrates, i.e. loading a javascript: URI through an <embed> element and therefore causing its execution
in the context of the embedding page (i.e.
not cross-site) cannot qualify as XSS for obvious reason (the script is same-site) and, BTW, it won't either work on pages which are not already whitelisted by NoScript.
Actually, I fail to see any practical difference with
Code: Select all
<iframe src="javascript:alert(document.cookie)"></iframe>
which, again, is not XSS and not practically different than a plain
Code: Select all
<script>alert(document.cookie)</script>
placed in the page.
Again, I might be misunderstanding so any Chinese-speaking security researcher (or the post author himself) is welcome to chime in.
Re: HELP:a 0-day XSS ?
Posted: Wed Sep 04, 2013 12:03 am
by GµårÐïåñ
Giorgio, you understood correctly.
Re: HELP:a 0-day XSS ?
Posted: Wed Sep 04, 2013 2:25 am
by 江3如此多娇
Thank you, Giorgio Maone and GµårÐïåñ, the explaination is very helpful to me