Posts

Showing posts from March, 2014

Cross Site Scripting Filter Bypassing using Header Injection (CRLF).....

Image
Cross Site Scripting Filter Bypassing using CRLF.....
This is my first technical writing. So please share your reviews and suggestions..
I would like to share a cross site scripting vulnerability found in one of the application I was testing. Usually xss is very common in the websites. However I found this one interesting, as this vulnerability is triggered using another known vulnerability CRLF.
The application I was testing is very secured in case of xss as it is having restrictions on both input and output. 1. whenever a tag with "<" and ">" together (like <script>)is used in input, the application will filter and redirect to an error page. 2. If you use either "<" or ">" without the other then it'll encode the input to html entity encoded form. So I find this irritating and tried all known attack vectors, found nothing but logged out forcibly.
So I stopped hunting for xss and concentrated more on other conventional bug…