[Esapi-user] [Esapi-dev] XSS on OWASP

Jeff Williams jeff.williams at aspectsecurity.com
Mon Jun 27 19:15:53 EDT 2011


I'm not sure exactly how he is rendering this static harmless java source code (that happens to contain some <script> tags) but this is *NOT* XSS or a browser bug. There's no user input!!!  The curse of the alert box proof of concept.

--Jeff



On Jun 27, 2011, at 6:36 PM, "Kevin W. Wall" <kevin.w.wall at gmail.com> wrote:

> A bug in IE 8 then.
> 
> On Mon, Jun 27, 2011 at 3:18 PM, Yan Yan Wang
> <yan.y.wang.r7lv at statefarm.com> wrote:
>> Does anyone else get the alert box when click on the link?
>> 
>> 
>> 
>> From: esapi-dev-bounces at lists.owasp.org
>> [mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Yan Yan Wang
>> Sent: Monday, June 27, 2011 1:55 PM
>> To: Esapi-user at lists.owasp.org; esapi-dev at lists.owasp.org
>> Subject: Re: [Esapi-dev] XSS on OWASP
>> 
>> 
>> 
>> 
>> 
>> http://owasp-esapi-java.googlecode.com/svn-history/r722/trunk/src/test/java/org/owasp/esapi/reference/ValidatorTest.java
>> 
>> 
>> 
>> Not sure if this is the place to go, but it appears that this page is
>> compromised on IE.
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Esapi-dev mailing list
>> Esapi-dev at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-dev
>> 
>> 
> 
> 
> 
> -- 
> Blog: http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We *cause* accidents."        -- Nathaniel Borenstein
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user


More information about the Esapi-user mailing list