Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: xss....what next???
From: Richard Braganza <Richard.Braganza () siemens com>
Date: Tue, 15 Aug 2006 16:18:58 +0100



IMHO (but thanks must go to rsnake for his xss guide),

Actually the trust relationship you want can be extended to include the
user's browser not just the user.

I have used this to great effect in web app testing
e.g.
Assuming website admins use the same website login process as normal
users...
make use of an admin user's escalated privilege - i.e. you get a website
admin to run your xss and add a user etc., without the admin knowing
they did it. (this is the browser trust part)

Admittedly it took a while to craft the attacks with many failed
attempts.

But...
How many times when surfing the internet has your browser said there is
an error on the page and you simply carried on using the site and
ignored the issue. Were the sites, sites you had control over...

For easy wins:

I prefer testing(attacking) sign up (the admins on some sites choose who
can sign up) and forgot password pages (admins tend to use a web based
logs and just maybe they want the stats of failed logins) as these tend
to have unlogged on access and hence the audit trail is weaker (IP can
be spoofed as you do not care for the response) and no site credentials
required. In short attack the pages that an admin is likely to also use
and see the results of (in one form or another)

And message boards if logged in.

Picking the easy wins in a time limited test is where web app testing
becomes an art rather than a methodology - but now I am off topic.

Regards

Richard Braganza
-----Original Message-----
From: mikeiscool [mailto:michaelslists () gmail com]
Sent: 14 August 2006 06:54
To: Ahmad N
Cc: pen-test () securityfocus com
Subject: Re: xss....what next???

On 8/14/06, Ahmad N <ahmad1985 () gmail com> wrote:
hello,

I managed to find a website prone to xss, this might sound stupid, but
whats next ??? how can i use it to the maximum ??? i managed to pass
javascript to a jspz arguments.....but I really can't c how much
potential i have now???

well now you do a few things:

1. see if you can send a link with the xss to a user, while he is
logged in, and have him click it. if so, steal his session.

failing that,
2. send the link with the xss to somebody and forge the sites content
with your own, thereby tricking them into paying information to the
wrong account, or calling the wrong phone number, etc.

failing that,
3. nothing.

xss is only good if you can trick someone into trusting something. if
they don't trust it to begin with, it's useless.

------------------------------------------------------------------------
------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise,
you need to proactively protect your applications from hackers. Cenzic
has the
most comprehensive solutions to meet your application security
penetration
testing and vulnerability management needs. You have an option to go
with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service
can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm
your
results from other product. Contact us at request () cenzic com for
details.
------------------------------------------------------------------------
------


------------------------ Insight Consulting-------------------
Insight Consulting, part of Siemens Communications, is a leading specialist provider of services and solutions for 
security, continuity, compliance and identity management.

-----------------------------Disclaimer--------------------------
Siemens Communications - a division of Siemens plc, Registered No: 727817, England. Registered office: Siemens House, 
Oldbury, Bracknell, Berkshire, RG12 8FZ.

This communication contains information which is confidential and may also be privileged. It is for the exclusive use 
of the addressee.
If you are not the addressee please note that any distribution, reproduction, copying, publication or use of this 
communication or the information is prohibited.
If you have received this communication in error, please contact us immediately and also delete the communication from 
your computer.
We accept no liability for any loss or damage suffered by any person arising from use of this email

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]