CodeIgniter Forums
C with xss = C - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: C with xss = C (/showthread.php?tid=20024)



C with xss = C - El Forum - 06-25-2009

[eluser]CrustyDOD[/eluser]
Just saw this. When you use XSS on input field and you have let's say this: SecretCPasword

When you submit that, it will result in: SecretCPasword

Which is wrong.

Anyway to fix this behaviour and still be able to use XSS?


C with xss = C - El Forum - 06-25-2009

[eluser]Dam1an[/eluser]
You either had something stripped out (a 's' perhaps) or there's no differance?


C with xss = C - El Forum - 06-25-2009

[eluser]CrustyDOD[/eluser]
Oh lol, see it works the same here!

Secret%.4.3Pasword <--- REMOVE dots (.)

Result is SecretCPasword which is wrong!


C with xss = C - El Forum - 06-25-2009

[eluser]SardiorDragon[/eluser]
A simple fix (and one you are probably not looking for) is to just not allow %'s in passwords.


C with xss = C - El Forum - 06-25-2009

[eluser]CrustyDOD[/eluser]
Yes, and what about for example message field and stuff like that? Even this field that i'm typing into it, same thing. Should i ban % from ALL the fields? Bad bad fix. Smile


C with xss = C - El Forum - 06-25-2009

[eluser]SardiorDragon[/eluser]
I was only thinking you cared about passwords. So yes that fix would fail for all other fields. I don't have a fix for the other fields at this time.


C with xss = C - El Forum - 06-25-2009

[eluser]Thorpe Obazee[/eluser]
[quote author="CrustyDOD" date="1245963923"]Just saw this. When you use XSS on input field and you have let's say this: SecretCPasword

When you submit that, it will result in: SecretCPasword

Which is wrong.

Anyway to fix this behaviour and still be able to use XSS?[/quote]

Am I missing something? "SecretCPasword" is looks very very very similar to "SecretCPasword".


C with xss = C - El Forum - 06-26-2009

[eluser]SardiorDragon[/eluser]
[quote author="bargainph" date="1245995803"]
Am I missing something? "SecretCPasword" is looks very very very similar to "SecretCPasword".[/quote]

Look at:

[quote author="CrustyDOD" date="1245974321"]Oh lol, see it works the same here!

Secret%.4.3Pasword <--- REMOVE dots (.)

Result is SecretCPasword which is wrong![/quote]

See the %.4.3 (remove the dots and you get C when the xss is run on it).