Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Exploiting XSS
From: "Guy Mizrahi" <guym () betternet co il>
Date: Thu, 4 Dec 2008 03:33:21 +0200

A great way to show why XSS is bad for the customer is to use xssshell.
If you don't know this tool you can find it here: https://labs.portcullis.co.uk/application/xssshell/ This tool allows you to do a lot of stuff on the site visitors - I find that a movie that shows what you can do with xssshell is always a good answer to "What can you do with XSS?".

Guy Mizrahi
Security Researcher
http://hacking.org.il

----- Original Message ----- From: "Whitehat" <whitehaat () gmail com>
To: "pen-test" <pen-test () securityfocus com>
Sent: Wednesday, December 03, 2008 7:08 AM
Subject: Exploiting XSS


Dear List,

I'm doing a WAPT for a website and found many XSS issues (both Stored
and Reflected).
I wanted to do more and show to the customer, apart from normal script
injection  and  getting it popped up.

Consider that u found an XSS issue in a field and your script is running,

  1. Now what are the further steps for exploiting XSS completely????
  2. How an attacker can really make  use of  it?
  3. How to Compromise ??
  4. What are the real world scenarios can be used

Looking for few good inputs/imlementations/expolits/BooKs ..............

Thanks in advance,

Cheers,
White hat


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------





------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]