dummy hack test
<script src="http://_.com/_.js"></script>
If you do not see the above line of text , then there is a problem. If the forum software had not converted the line containing the HTML tags, etc. into this: <script src="http://_.com/_.js"></script> then it would have been possible to attempt to run a js script from anywhere on the web in your browser. "dummy" means 1. it's not a real test and/or 2. the poster |
Quote:
This site uses the option to disable all HTML in messages, using bbcode tags only. That's the simplest and safest option. However, it does turn a URL string into HTML. Notice what it did in your message. If the proper security is in place it would not turn it into a URL that will execute Javascript. Hmm, I should check that but I have to run out the door in two minutes. |
Quote:
<script src="http://_.com/_.js"></script> as the contents of the URL and a click on "Preview Post" showed that the forum software had inserted zero, zilch, nada, thus blocking this kind of attack via the "Insert link" function. As you say, I would have expected that such potential vulnerabilities have been closed long ago. I did not really expect to be able to show up any vulnerability in the first place. The main point of my OP was to show how little text is required to create an attack that could work without any clicking on any link by the user at all, if some vulnerabilities on both sides (server and browser) are unpatched. |
Quote:
|
Quote:
|
All times are GMT -5. The time now is 11:17 PM. |
Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.