When I’m bored I watch my logs (you’d be amazed how many hack attempts I get a day - or maybe you wouldn’t given the domain name). I also get a lot of hits to my XSS Cheat sheet with people doing vulnerability assessments. Generally I ignore these types of hits because that’s what the page is built for, but this single log entry caught my eye because it was obvious someone had inadvertanly hit my page, rather than intentional auditing techniques. I saw this page:

• Hotbot XSS vulnerability (screenshot)
  

So after laughing for about ten minutes I did some research and it turns out that here is what is happening. Using the MSN search someone happend to find a page that was referencing a double-open angle bracket vector. Hotbot didn’t sanitize the HTML because it was incomplete (most likely) and instead rendered it. Because it was linking to a page that didn’t exist “scriptlet.html<BR>” it was redirecting back to my homepage as a 404. Obviously it would be extremely easy to fashion this into a real XSS exploit, but I think this proves the point. If you want to see for yourself follow this link.

/RSnake

This entry was posted on Sunday, June 11th, 2006 at 11:00 am and is filed under XSS, Webappsec. You can leave a response as well.