This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
|Diavola||Tomato, Mozzarella, Pepperoni, ...||2||12|
|Napoli||Tomato, Mozzarella, Anchovies, ...||1||17|
|Neil Daswani||1234 1234 9999 1111||11||2007|
|Christoph Kern||1234 4321 3333 2222||4||2008|
|Anita Kesavan||2354 7777 1111 1234||3||2007|
Your query for 'cookies' returned the following results:... That is, the value of the query parameter question is inserted into the page returned by mywwwservice.com. We assume further that the data is not validated, filtered, or escaped. Now suppose that an attacker manages to cause our user Alice to load the following URL into her browser—for example, by tricking her into clicking a link, or by luring her into viewing a harmless-looking page that sources this URL in an invisible <iframe>: http://www.mywwwservice.com/query?➥ question=cookies+%3Cscript%3Emalicious-script%3C/script%3E The document loaded into the browser in response to this request will contain the following HTML fragment:
Error: Your query '%(query)s' did not return any results.Suppose an attacker can cause query to contain +ADw-script+AD4-alert(document.domain);+ADw-/script+AD4Note that this string does not contain any characters that would usually be filtered out by an input filtering framework. Neither would any of the characters be escaped by an application that follows the usual guidelines for HTML-escaping strings documented in Section 10.5.2. The resulting HTML snippet would render as
Error: Your query '+ADw-script+AD4-alert(document.domain);+ADw-/script+AD4-' did not return any results.If the user is using Internet Explorer (as of version 6.0) configured to auto-select encodings (set in menu View ➤ Encoding ➤ Auto-Select), Internet Explorer will guess UTF-7 as the encoding for this document (Firefox appears not to guess UTF-7 encodings, even with autodetect enabled). However, under UTF-7 encoding, the octet sequence corresponding to the ASCII characters +ADw- is actually an encoding of the less-than character (i.e., ). Therefore, the browser will interpret and execute the script tag.