[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler?
- To: bipin gautam <visitbipin@yahoo.com>
- Subject: Re: [Full-Disclosure] [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler?
- From: Wayne Schroeder <raz@chewies.net>
- Date: Sat, 11 Oct 2003 00:40:14 -0500
At this point, I'm about ready to classify your email as flamebait. I'm
not quite sure if you're not just yanking everyone's chain here. The
only issue that this could ever cause is if somone allowed un trusted un
escaped data into a javascript <script> tag set. This of course is a
BadThing(tm) and is just another XSS vlun method. It's not a vuln or
bug with any web browser. You might as well blame them for being
standards compliant. It is the job of the browser to stop parsing the
stuff inside the <script> tag when it hits a </script> no matter what.
It is the web app / cgi programmer who must make sure this does not
happen, not the browsers. You might as well blame the browser for
allowing people to insert " or ' in a html tag such as a form input
value attribute.
Lets recap...
it's not any browsers fault or any javascript parsers fault.
The javascript parser only sees what is inside script tags.
Escape any data from untrusted source that goes to web browser.
To escape said text, depending on what the context is, lets say for the
sake of argument and example, a string constant in double quotes, all
you have to do is escape things that can cause issues with a \.
For instance... in perl.
my $data = "hey string</script><script>alert('PWNED');</script>";
$data =~ s/(\W)/\\$1/g;
now $data is the following:
hey\ string\<\/script\>\<script\>alert\(\'PWNED\'\)\;\<\/script\>
This string can go inside a javascript string constant and won't cause
the HTML PARSER to think it's the end of the javascript block. Some may
thing that \W is adding to many \ to the string but it gets the job
done. You could use another char set like [^<"'\\] or similar if you
were anal about it.
You can't blame web browsers for the XSS issues that lacky web coders
allow. I don't know what vendor you contacted but the only things you
mentioned were web browsers so I am guessing you contacted MS or the
mozilla team. Don't be surprised when they don't consider it a browser
> fine! i am stupid then!
You said it, not me.
> I MEAN!!!
Something tells me they used another metric... perhaps because you're
also fishing for jobs and scholarships with an 'advisory' that many
people have already tried to explain is not valid.
On Fri, Oct 10, 2003 at 08:53:53PM -0700, bipin gautam wrote:
> fine! i am stupid then!
> you will regret those words when you are using my
> exploit's to .....
> hell search google! you will find a lot!
> http://www.google.com.np/search?q=%22bipin+gautam%22+hUNT3R&ie=UTF-8&oe=UTF-8&hl=ne&btnG=%E0%A4%97%E0%A5%81%E0%A4%97%E0%A4%B2+%E0%A4%96%E0%A5%8B%E0%A4%9C%E0%A5%80
> I MEAN!!!
> -------------------------------------
> --- bipin gautam <visitbipin@yahoo.com> wrote:
> > well... i've PERSONALLY tried it with IE 6 AND Opera
> > 7.11 and MOZILLa....... for windows!
> >
> > well... for the other statistic i've been reported
> > by
> > friends/people like you!
> >
> > it does work!
> >
> >
> > --------------------------------------
> > --- Florian Huber <florian.huber@mnet-online.de>
> > wrote:
> > > On Fri, 10 Oct 2003 10:38:59 -0700 (PDT)
> > > bipin gautam <visitbipin@yahoo.com> wrote:
> > >
> > > > --- [Effected] ---
> > > It's spelled "affected" ;P
> > >
> > > > All versions of "OPERA, MOZILLA and INTERNET
> > > > available up to this, relese DATE!
> > >
> > > Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a)
> > > Gecko/20030813
> > > Mozilla Firebird/0.6.1
> > >
> > > Definitely _not_ vulnerable...
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter:
> > http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > The New Yahoo! Shopping - with improved product
> > search
> > http://shopping.yahoo.com
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.netsys.com/full-disclosure-charter.html
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html