Penetration Testing mailing list archives
RE: xss....what next???
From: Richard Braganza <Richard.Braganza () siemens com>
Date: Tue, 15 Aug 2006 16:18:58 +0100
IMHO (but thanks must go to rsnake for his xss guide), Actually the trust relationship you want can be extended to include the user's browser not just the user. I have used this to great effect in web app testing e.g. Assuming website admins use the same website login process as normal users... make use of an admin user's escalated privilege - i.e. you get a website admin to run your xss and add a user etc., without the admin knowing they did it. (this is the browser trust part) Admittedly it took a while to craft the attacks with many failed attempts. But... How many times when surfing the internet has your browser said there is an error on the page and you simply carried on using the site and ignored the issue. Were the sites, sites you had control over... For easy wins: I prefer testing(attacking) sign up (the admins on some sites choose who can sign up) and forgot password pages (admins tend to use a web based logs and just maybe they want the stats of failed logins) as these tend to have unlogged on access and hence the audit trail is weaker (IP can be spoofed as you do not care for the response) and no site credentials required. In short attack the pages that an admin is likely to also use and see the results of (in one form or another) And message boards if logged in. Picking the easy wins in a time limited test is where web app testing becomes an art rather than a methodology - but now I am off topic. Regards Richard Braganza -----Original Message----- From: mikeiscool [mailto:michaelslists () gmail com] Sent: 14 August 2006 06:54 To: Ahmad N Cc: pen-test () securityfocus com Subject: Re: xss....what next??? On 8/14/06, Ahmad N <ahmad1985 () gmail com> wrote:
hello, I managed to find a website prone to xss, this might sound stupid, but whats next ??? how can i use it to the maximum ??? i managed to pass javascript to a jspz arguments.....but I really can't c how much potential i have now???
well now you do a few things: 1. see if you can send a link with the xss to a user, while he is logged in, and have him click it. if so, steal his session. failing that, 2. send the link with the xss to somebody and forge the sites content with your own, thereby tricking them into paying information to the wrong account, or calling the wrong phone number, etc. failing that, 3. nothing. xss is only good if you can trick someone into trusting something. if they don't trust it to begin with, it's useless. ------------------------------------------------------------------------ ------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------ ------ ------------------------ Insight Consulting------------------- Insight Consulting, part of Siemens Communications, is a leading specialist provider of services and solutions for security, continuity, compliance and identity management. -----------------------------Disclaimer-------------------------- Siemens Communications - a division of Siemens plc, Registered No: 727817, England. Registered office: Siemens House, Oldbury, Bracknell, Berkshire, RG12 8FZ. This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the addressee. If you are not the addressee please note that any distribution, reproduction, copying, publication or use of this communication or the information is prohibited. If you have received this communication in error, please contact us immediately and also delete the communication from your computer. We accept no liability for any loss or damage suffered by any person arising from use of this email ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- xss....what next??? Ahmad N (Aug 13)
- Re: xss....what next??? mikeiscool (Aug 14)
- Re: xss....what next??? Dr HenDre (Aug 14)
- Re: xss....what next??? steven (Aug 14)
- Re: xss....what next??? Dr David Scholefield (Aug 15)
- <Possible follow-ups>
- RE: xss....what next??? Richard Braganza (Aug 15)