2008/1/14, GF <[EMAIL PROTECTED]>: > > > > > Sorry again Fabio, but I need to understand: the querystring does not > seem > > to have a "param=value" structure, and <s:url> has "test" as action, and > > does not take any dynamic value (i.e. parameter), but maybe I am missing > > something. > > The bug is calling that page itself (I mean XSS.jsp) passing via GET > the malicious querystring. > The "test action" is never called. You get the XSS exploit on XSS.jsp > > I pasted somewhere the full code of XSS.jsp, call it passing the > malicious querystring (on IE6) and you will see the javascript being > executed.
Ok understood, thanks, sorry for my dumbness :-) It's monday after all :-) Antonio
