A bug in IE allows hackers to conduct XSS attacks

A bug in IE allows hackers to conduct XSS attacks

  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

Citat:Here are the technical details. Internet Explorer (IE) doesn't encode double quote characters (") in the query part of the uniform resource identifier (URI). This behavior, besides being non standard (as stated by RFC and implemented by other browsers including Chrome or Firefox) may expose IE users to reflected XSS attacks. How? Websites may assume that the URI in the request is properly encoded by the browser and embed it "as is" in the HTML response. Since double quotes are not properly encoded by IE it may break the websites HTML structure and allow an attacker to smuggle an XSS attack against the IE user.
Citat:It's easy to verify that double quote should be "pct-encoded" and therefore represented as %22.
Citat:For example, typing the following URI in IE's address bar– 'http://example.com/Sea"rch.asp?q"="b"' over the wire it will be 'GET /Sea%22rch.asp?q"="b" '
Citat:We have contacted Microsoft and got the following response:

Thank you for writing to us. The behavior you are describing is something that we are aware of and are evaluating for changes in future versions of IE, however it's not something that we consider to be a security vulnerability that will be addressed in a security update.

Izvor: http://blog.imperva.com/2012/01/ie-bug-exposes-its-users-to-xss-attacks-.html

Registruj se da bi učestvovao u diskusiji. Registrovanim korisnicima se NE prikazuju reklame unutar poruka.
Ko je trenutno na forumu

Ukupno su 728 korisnika na forumu :: 46 registrovanih, 5 sakrivenih i 677 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Sale, A.R.Chafee.Jr., AK - 230, amonsrb, bojank, Cigi, Cufo, darkangel, Djuraskovic Vuk, Dorcolac, drimer, esx66, Fisherman, Fog of War, FOX, Georgius, goxin, havoc995, HrcAk47, ILGromovnik, jaeger, Leonardo, LUDI, majorgaspar, Marko Milakov, Markogrozni, mcgunner, Mercury, Milan A. Nikolic, MiroslavD, Mixelotti, nenad81, pavle_pzs, pein, raskoljnikov, Regrut Boskica, S2M, Sale.S, shone34, Srle993, suton, Toni, vlvl, voja64, Wlade, wolf431