Closed Bug 252827 Opened 21 years ago Closed 21 years ago

XSS attack easy to hide

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: josephgama, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040616 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040616 I am creating rules for Snort related to XSS and noticed that Mozilla allows junk characters after the <SCRIPT and it makes it harder for an IDS to detect it. <SCRIPT >alert("hi");</SCRIPT> <SCRIPT >alert("hi");</SCRIPT> <SCRIPT%9>alert("hi");</SCRIPT> <SCRIPT%000009>alert("hi");</SCRIPT> <SCRIPT%0>alert("hi");</SCRIPT> <SCRIPT%1>alert("hi");</SCRIPT> <SCRIPT%31>alert("hi");</SCRIPT> <SCRIPT%uFFFF>alert('hi');</SCRIPT> <SCRIPT%uFFEF>alert('hi');</SCRIPT> <SCRIPT%u0041>alert('hi');</SCRIPT> Reproducible: Always Steps to Reproduce: 1.place each line on a text input and submit it to a page that will write it back on the browser 2. 3. Actual Results: I got the alert. Expected Results: If it accepted only <SCRIPT> it would be better. Ignoring all junk before > would incerase security.
-> html parser... but I really think it's just the IDS that needs to be fixed. note that mozilla can't just ignroe anything after <script, since it may have attributes that mozilla needs (src, type, language)
Assignee: general → parser
Component: Browser-General → HTML: Parser
QA Contact: general
Indeed. We have to attempt to convert that data to unicode and then tokenize it.
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
Removing confidential flag from bugs resolved INVALID
Group: security
You need to log in before you can comment on or make changes to this bug.