Naziv
|
XSS Using Doubled Characters
|
Sažetak
|
The attacker bypasses input validation by using doubled characters in order to perform a cross-site scripting attack. Some filters fail to recognize dangerous sequences if they are preceded by repeated characters. For example, by doubling the < before a script command, (<<script or %3C%3script using URI encoding) the filters of some web applications may fail to recognize the presence of a script tag. If the targeted server is vulnerable to this type of bypass, the attacker can create a crafted URL or other trap to cause a victim to view a page on the targeted server where the malicious content is executed, as per a normal XSS attack.
|
Preduvjeti
|
The targeted web application does not fully normalize input before checking for prohibited syntax. In particular, it must fail to recognize prohibited methods preceded by certain sequences of repeated characters.
|
Rješenja
|
['Design: Use libraries and templates that minimize unfiltered input.', 'Implementation: Normalize, filter and sanitize all user supplied fields.', 'Implementation: The victim should configure the browser to minimize active content from untrusted sources.']
|