This particular variant was submitted by Łukasz Pilorz and was based partially off of Ozh’s protocol resolution bypass. This cross site scripting example works in IE, Netscape in IE rendering mode and Opera if you add in a tag at the end. However, this is especially useful where space is an issue, and of course, the shorter your domain, the better. The “.j” is valid, regardless of the MIME type because the browser knows it in context of a SCRIPT tag.

This entry was posted on Monday, May 29th, 2006 at 12:38 am and is filed under XSS, Webappsec. You can leave a response as well.