WebApp Sec mailing list archives
Re: Looking for a Web Application Vulnerable to XSS Cookie Grab
From: "Jeff Williams" <jeff.williams () aspectsecurity com>
Date: Sat, 6 Nov 2004 17:16:06 -0500
WebGoat has lessons on both stored and reflected XSS. You can use the reflected XSS lessons to do what you want to do simply by sending your victim an email that has a link exploiting the vulnerable page in WebGoat. The stored XSS lesson used to work the way you want, with all users messages going into a single list. But it was confusing for students who want to test with *their* messages only. If you'd like the multi-user behavior, you can change StoredXss.java in the makeList method as follows... ResultSet results = statement.executeQuery( STANDARD_QUERY + " WHERE user = '" + s.getUserName() + "'" ); to ResultSet results = statement.executeQuery( STANDARD_QUERY ); --Jeff ----- Original Message ----- From: "CFW" <cfw_security () comcast net> To: <webappsec () securityfocus com> Sent: Friday, November 05, 2004 4:33 PM Subject: Looking for a Web Application Vulnerable to XSS Cookie Grab
Hi all, I am setting up a lab to learn about web application security and I have been messing with WebGoat and Foundstone's HacmeBank and found them to be very useful learning tools. One thing lacking in them (from what I can tell) is a multiuser, XSS Cookie Grabbing example. Basically, I would like to have a little application (or part of one of these applications) that one (malicious) user can log in to and post a XSS cookie grabber to a forum or guestbook or something. Then, the attacker fires up a listener until another user logs in and hits the script, sending the cookies to the listener. Then, the first user can change his cookies, and see clearly that the web application thinks it is the second user. Does anyone know of such an application? The Foundstone Hacme Bank is almost there in that it has a "Post Message" section that is vulnerable to XSS, but it is set up so that each user sees only their own messages, so it is not possible to post a malicious script to someone else. If the Foundstone people are reading this, have you considered changing this behavior? While I am asking, are there any other web applications like these that I should set up? I looked at WebMaven, but it looks like that has been overtaken by Hacme and Webgoat (correct me if I am wrong). Someone mentioned a while back on pen-test that you could use an old version of PHP-Nuke as a vulnerable site since it has a lot of known issues. Has anyone done this and have any hints on what version is the most useful in this respect (most vulnerable I guess)? Thanks a bunch and have a good weekend. Chuck
Current thread:
- Looking for a Web Application Vulnerable to XSS Cookie Grab CFW (Nov 05)
- RE: Looking for a Web Application Vulnerable to XSS Cookie Grab Mark Curphey (Nov 06)
- Re: Looking for a Web Application Vulnerable to XSS Cookie Grab CFW (Nov 08)
- RE: Looking for a Web Application Vulnerable to XSS Cookie Grab Mark Curphey (Nov 09)
- Re: Looking for a Web Application Vulnerable to XSS Cookie Grab CFW (Nov 08)
- RE: Looking for a Web Application Vulnerable to XSS Cookie Grab Mike Andrews (Nov 06)
- Re: Looking for a Web Application Vulnerable to XSS Cookie Grab Jeff Williams (Nov 06)
- <Possible follow-ups>
- RE: Looking for a Web Application Vulnerable to XSS Cookie Grab Michael Silk (Nov 09)
- RE: Looking for a Web Application Vulnerable to XSS Cookie Grab Mark Curphey (Nov 06)