C with xss = C - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: C with xss = C (/showthread.php?tid=20024) |
C with xss = C - El Forum - 06-25-2009 [eluser]CrustyDOD[/eluser] Just saw this. When you use XSS on input field and you have let's say this: SecretCPasword When you submit that, it will result in: SecretCPasword Which is wrong. Anyway to fix this behaviour and still be able to use XSS? C with xss = C - El Forum - 06-25-2009 [eluser]Dam1an[/eluser] You either had something stripped out (a 's' perhaps) or there's no differance? C with xss = C - El Forum - 06-25-2009 [eluser]CrustyDOD[/eluser] Oh lol, see it works the same here! Secret%.4.3Pasword <--- REMOVE dots (.) Result is SecretCPasword which is wrong! C with xss = C - El Forum - 06-25-2009 [eluser]SardiorDragon[/eluser] A simple fix (and one you are probably not looking for) is to just not allow %'s in passwords. C with xss = C - El Forum - 06-25-2009 [eluser]CrustyDOD[/eluser] Yes, and what about for example message field and stuff like that? Even this field that i'm typing into it, same thing. Should i ban % from ALL the fields? Bad bad fix. C with xss = C - El Forum - 06-25-2009 [eluser]SardiorDragon[/eluser] I was only thinking you cared about passwords. So yes that fix would fail for all other fields. I don't have a fix for the other fields at this time. C with xss = C - El Forum - 06-25-2009 [eluser]Thorpe Obazee[/eluser] [quote author="CrustyDOD" date="1245963923"]Just saw this. When you use XSS on input field and you have let's say this: SecretCPasword When you submit that, it will result in: SecretCPasword Which is wrong. Anyway to fix this behaviour and still be able to use XSS?[/quote] Am I missing something? "SecretCPasword" is looks very very very similar to "SecretCPasword". C with xss = C - El Forum - 06-26-2009 [eluser]SardiorDragon[/eluser] [quote author="bargainph" date="1245995803"] Am I missing something? "SecretCPasword" is looks very very very similar to "SecretCPasword".[/quote] Look at: [quote author="CrustyDOD" date="1245974321"]Oh lol, see it works the same here! Secret%.4.3Pasword <--- REMOVE dots (.) Result is SecretCPasword which is wrong![/quote] See the %.4.3 (remove the dots and you get C when the xss is run on it). |