Yes a XSS post again. I’m sorry 🙂 I’ve been having fun testing some really good filters (some of the best in the business IMO). I found a vector that isn’t on rsnake’s cheat sheet. Check it out:- Only works on IE <isindex type=image src=1 onerror=alert(1)> Because IE treats the isindex element (a very old […]

I (wrongly) assumed that Javascript frame breakers were ineffective when using iframes on IE when using the security=restricted attribute. As it turns out cookies are not allowed by default when using the attribute because the security settings are applied from IE restricted zone. My recommendation is to use frame breakers on administration pages and other […]