This one comes straight from an exploit found by Renaud Lifchitz that uses the old div background-image inside a style tag but he took a different approach and unicoded the string. I modified his original exploit slightly to also encode the url parameter as well. Very cool, as it doesn’t require the use of the JavaScript directive or script tag, which always makes it harder to catch.

This entry was posted on Thursday, January 1st, 1970 at 12:00 am and is filed under XSS, Webappsec. You can leave a response as well.