Penetration Testing mailing list archives
RE: XSS LAB DEMO IDEAS
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Tue, 7 Jan 2003 10:32:28 +0200
As an example of what one can do with XSS, I was reviewing a banking site which had the following sequence: User registers, providing their account details, locations, etc. The registration is reviewed by a supervisor (different privilege levels), who contacts the user telephonically to authenticate them, before activating the account. The user then logs on, and accesses their accounts. I was able to insert enough scripting into the personal data to automatically activate the account as soon as it was viewed, without the supervisor needing to do it manually. In fact, I was able to become a supervisor myself, and add any account I liked. Fortunately I caught this one in the testing phase :-) That sort of thing can make quite a powerful demonstration of why input filtering (more correctly, OUTPUT filtering) is so important. Rogan -----Original Message----- From: Jeremy Junginger [mailto:jj () act com] Sent: 06 January 2003 07:01 PM To: pen-test Subject: XSS LAB DEMO IDEAS After reading the papers by iDefense and the paper at http://www.technicalinfo.net/papers/CSS.html , I would like to put a working example together to familiarize our web developers with XSS vulnerabilities and their impact on the web site (and business). I would like to poll the group for interesting ways to demonstrate these vulnerabilities in a lab environment. Thanks for taking the time to give your input. -Jeremy ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- XSS LAB DEMO IDEAS Jeremy Junginger (Jan 06)
- Re: XSS LAB DEMO IDEAS Loki (Jan 06)
- Re: XSS LAB DEMO IDEAS Kevin Spett (Jan 06)
- <Possible follow-ups>
- Re: XSS LAB DEMO IDEAS Mark Curphey (Jan 06)
- RE: XSS LAB DEMO IDEAS Dawes, Rogan (ZA - Johannesburg) (Jan 07)
- Re: XSS LAB DEMO IDEAS FermÃn J . Serna (Jan 08)
- RE: XSS LAB DEMO IDEAS Jeremy Junginger (Jan 08)
- RE: XSS LAB DEMO IDEAS Dawes, Rogan (ZA - Johannesburg) (Jan 10)