A bug in IE allows hackers to conduct XSS attacks

A bug in IE allows hackers to conduct XSS attacks

offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

Citat:Here are the technical details. Internet Explorer (IE) doesn't encode double quote characters (") in the query part of the uniform resource identifier (URI). This behavior, besides being non standard (as stated by RFC and implemented by other browsers including Chrome or Firefox) may expose IE users to reflected XSS attacks. How? Websites may assume that the URI in the request is properly encoded by the browser and embed it "as is" in the HTML response. Since double quotes are not properly encoded by IE it may break the websites HTML structure and allow an attacker to smuggle an XSS attack against the IE user.
Citat:It's easy to verify that double quote should be "pct-encoded" and therefore represented as %22.
Citat:For example, typing the following URI in IE's address bar– 'http://example.com/Sea"rch.asp?q"="b"' over the wire it will be 'GET /Sea%22rch.asp?q"="b" '
Citat:We have contacted Microsoft and got the following response:

Thank you for writing to us. The behavior you are describing is something that we are aware of and are evaluating for changes in future versions of IE, however it's not something that we consider to be a security vulnerability that will be addressed in a security update.



Izvor: http://blog.imperva.com/2012/01/ie-bug-exposes-its-users-to-xss-attacks-.html



Registruj se da bi učestvovao u diskusiji. Registrovanim korisnicima se NE prikazuju reklame unutar poruka.
Ko je trenutno na forumu
 

Ukupno su 1407 korisnika na forumu :: 53 registrovanih, 6 sakrivenih i 1348 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: amaterSRB, Apok, Atomski čoban, Batinas, bigfoot, bojank, Boris90, darcaud, darkangel, DeerHunter, Dežurni pod palubom, Djokislav, dmdr, Dorcolac, drimer, ikan, Insan, ivan1973, ivan979, kinez88, kybonacci, Litostroton, LUDI, Luka Blažević, Lukaaa, Lutvo_Redzepagic, milenko crazy north, Milometer, milos.cbr, mkukoleca, mnn2, MrNo, nebkv, Nemanja.M, nemkea71, Neretva, oganj123, Romibrat, royst33, ruger357, sap, slonic_tonic, Smajser, Srle993, suton, vathra, VJ, vobo, vukdra, wolf431, yufighter, Zimbabwe, zlaya011