|Main Archive Page > Month Archives > webappsec archives|
Ha Ha no, its not homework at all; those days are gone. I edited the code a little before I posted. Its actually a Level in a wargame targeted only at XSS. Doing that is a nice way to improve skill. Yes I understand I have to target document.write() but it outputs everything back into double quotes, so how do I do it? Thnx anyway...
On Sun, May 31, 2009 at 8:25 PM, Florian Weimer <firstname.lastname@example.org> wrote:
> * arvind doraiswamy:
>> Here's a snapshot of the related code:
>> <form action="blahblah.php" method="post">
>> document.write: <input type="text" name="p1" size="60" value="ggggg">
>> <input type="submit" value="reflect">
> Is this some sort of homework?
>> So as you see all reflection points are in double quotes and all key
>> characters are blocked off as mentioned earlier.
>> An input in the text box of: < > : ; " ' ` = ( ) / \ * is reflected back as:
>> < > : ; " ' ` = ( ) / \ *
> You need to target the document.write() call.