Re: Exploiting XSS

["Guy Mizrahi" <guym () betternet co il>]

A great way to show why XSS is bad for the customer is to use xssshell.
If you don't know this tool you can find it here: 
https://labs.portcullis.co.uk/application/xssshell/
This tool allows you to do a lot of stuff on the site visitors - I find that 
a movie that shows what you can do with xssshell is always a good answer to 
"What can you do with XSS?".

Guy Mizrahi
Security Researcher
http://hacking.org.il

----- Original Message ----- 
From: "Whitehat" <whitehaat () gmail com>
To: "pen-test" <pen-test () securityfocus com>
Sent: Wednesday, December 03, 2008 7:08 AM
Subject: Exploiting XSS


> Dear List,
>
> I'm doing a WAPT for a website and found many XSS issues (both Stored
> and Reflected).
> I wanted to do more and show to the customer, apart from normal script
> injection  and  getting it popped up.
>
> Consider that u found an XSS issue in a field and your script is running,
>
>   1. Now what are the further steps for exploiting XSS completely????
>   2. How an attacker can really make  use of  it?
>   3. How to Compromise ??
>   4. What are the real world scenarios can be used
>
> Looking for few good inputs/imlementations/expolits/BooKs ..............
>
> Thanks in advance,
>
> Cheers,
> White hat
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------