Forum

Hiawatha version: 7.6
Operating System: Ubuntu Server 11.04

I think it is not a bug in general. I found that the following XSS codes are bypassed :

<sCrIpT>alert("XSS")</ScRiPt>

and

<meta http-equiv="refresh" content="0; URL=http://some.domain.com"/>

For your information, please.

Samiux

The XSS prevention works only for XSS in the URL. Did you use that alert() in an URL?

I've never seen a website that allows a use to insert HTML headers. So, I don't consider the meta tag example as a realistic threat.

Hi Hugo,

I insert the captioned command inside an input field such as message box.

Samiux

Hi Hugo,

Forgot to include a youtube. The technique is using meta tag. Here you are :

http://samiux.blogspot.com/2011/09/howto-deface-website-fast.html

Samiux

The meta tag in a POST request is something you can block with the DenyBody option.

Hi Hugo,

Please take a while to visit this site :

http://forum.intern0t.net/web-hacking-war-games/3412-bypassing-cross-site-scripting-filters.html

Samiux

Hi Hugo,

How to do that for more than one DenyBody? And how to do that with the captioned meta tag?

Samiux

Hi Hugo,

The captioned questions have been solved. Thanks for your great and powerful software.

Samiux