InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

XSS that goes past NoScript

https://forums.informaction.com/viewtopic.php?t=744

Page 1 of 1

XSS that goes past NoScript

Posted: Sat Apr 18, 2009 3:02 pm
by sbowne@ccsf.edu
There's an XSS vuln on the California Democratic Party website that works even with NoScript installed. I posted details here:

http://samsclass.info/123/ppt/XSS-DNC.html

Sam Bowne
City College San Francisco
Computer Networking and Information Technology
Box EVE-004, 50 Phelan Avenue, San Francisco, CA 94112

Re: XSS that goes past NoScript

Posted: Sat Apr 18, 2009 3:27 pm
by Giorgio Maone
Not quite.
Your "PoC" involves sending the POST from the site itself, therefore there's no cross-site scripting at all. It's "same site" scripting, not exploitable at all.
Anyway the hole is there, so please come back with a PoC sending the POST from a different site, with the target site allowed to run script, and then you can call it a XSS passing through NoScript (very unlikely ;) )
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited