XSS exploit when JavaScript is disabled

Posted by snaken on Stack Overflow See other posts from Stack Overflow or by snaken
Published on 2010-06-04T11:13:59Z Indexed on 2010/06/05 10:42 UTC
Read the original article Hit count: 255

Filed under:

JavaScript

|

xss

|

pci-dss

I'm getting pretty frustrated trying to make McAffee whitelist a supposed exploit on a site i work on. The issue is that their automated system has detected a supposed XSS exploit but the exploit only exists when JavaScript is disabled. Given the fact that you need JavaScript to be disabled for the exploit to exist then surely this means this is not an exploit. Can anyone think of any possible arguments to the contrary?

Update - To add more detail:

The problem comes from in one place unsanitized URL content is written to an anchor tag href.So, with JS disabled you could have something like this:

<a href="foor.php?"><script>alert('foo')</script>#someanchor" ..

When JavaScript is enabled this href is updated to be this (on dom ready):

<a href="javascript:;">link</a>

So, with JS enabled the link is no longer injected, with JS disabled the alert would no longer execute.

© Stack Overflow or respective owner

Related posts about JavaScript

CHAT ROOMs 7 by 6

as seen on Stack Overflow - Search for 'Stack Overflow'
I am looking for chatroom on one page with 7 loggedin users and 6+rows for say 42 users.these users will keep on adding wthnew users.Need urgent help.A PRETTY UNUSUAL Q FOR MOST OF U.What is MORE REQ new features: Usernames are unique to users currently chatting You can see a "currently chatting"… >>> More
Integrating JavaScript Unit Tests with Visual Studio

as seen on Stephen Walter - Search for 'Stephen Walter'
Modern ASP.NET web applications take full advantage of client-side JavaScript to provide better interactivity and responsiveness. If you are building an ASP.NET application in the right way, you quickly end up with lots and lots of JavaScript code. When writing server code, you should be writing… >>> More
Has Javascript developed beyond what it was originally designed to do?

as seen on Programmers - Search for 'Programmers'
I've been talking with a friend about the purpose of Javascript, when and how it should be used, etc. He quoted that: JavaScript was designed to add interactivity to HTML pages [...] JavaScript gives HTML designers a programming tool HTML authors are normally not programmers… >>> More
PHP, javascript, single quote problems with IE when passing variable from ajax post to javascript fu

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi! I have been trying to get this to work for a while, and I suspect there's an easy solution that I just can't find. My head feels like jelly and I would really appreciate any help. My main page.php makes a .post() to backend.php and fetches a list of cities which it echoes in the form of: <li… >>> More
Javascript in XSL that is loaded by Javascript

as seen on Stack Overflow - Search for 'Stack Overflow'
Is there anyway to have javascript run when a XSL sheet has been applied to an XML file by Javascript? I am using a JQuery plugin to apply the sheet to the xml but the javascript that is located inside of the XSL file will not run. I put the Javascript at the bottom of the file and it still does… >>> More

Related posts about xss

XSS filtering function in PHP

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, Does anyone know of a good function out there for filtering generic input from forms? Zend_Filter_input seems to require prior knowledge of the contents of the input and I'm concerned that using something like HTML Purifier will have a big performance impact. What about something like : http://snipplr… >>> More
A way around XSS?

as seen on Stack Overflow - Search for 'Stack Overflow'
In my page I have an script reference to the autoHeight.js file below. I also have an iframe that I want to resize using this code. In firebug I get this error Error: Permission denied for <http://www.siena.edu> to get property HTMLDocument.body from <https://siteframework.siena.edu>… >>> More
Why isn't ValidateRequest="true" enough for XSS prevention?

as seen on Stack Overflow - Search for 'Stack Overflow'
In the notes for Step 1 in the "How To: Prevent Cross-Site Scripting in ASP.NET" it is stated that you should "not rely on ASP.NET request validation. Treat it as an extra precautionary measure in addition to your own input validation." Why isn't it enough? >>> More
How Google Wave cannot be XSS injected by a widget

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello, If you've used google wave you probabely seen that you can insert widgets that are made by third parties without approval. the Question is : How this widgets can't inject XSS or steal the cookies, Are the widgets loaded in an <iframe> ? if yes, then how they can't redirect google wave… >>> More
Why Google Wave & iGoogle cannot be XSS injected by a widget

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello, If you've used google wave or iGoogle you probabely seen that you can insert widgets that are made by third parties without approval. the Question is : How this widgets can't inject XSS or steal the cookies, Are the widgets loaded in an <iframe> ? if yes, then how they can't redirect… >>> More