Cenzic 232 Patent
Paid Advertising
web application security lab

String replace is XSS’s friend. Trust me.

String replace is actually a really common problem. Blwood discovered some XSS vulnerabilities in Tikiwiki. Here’s the premise. If the string “<SCRIPT>” is removed and you can use that to your advantage by entering something like “<sc<SCRIPT>ript>” which when “<SCRIPT>” is removed you get “<script>”. That’s bad. Bad, and common.

One Response to “String replace is XSS’s friend. Trust me.”

  1. Nos Says:

    Hard to belief this is so common… then again, there are quite a few ‘typical’ ppl out there