Penetration Testing mailing list archives
Re: Exploiting XSS
From: "Durga Prasad Adusumalli" <asndpp () gmail com>
Date: Thu, 4 Dec 2008 18:23:31 +0530
Hi Adnan, If you are comfortable with Javascripting, you can create an exploit that would deface the website. Refer book, "XSS attacks" for more information on xss exploits. Good luck Durga Prasad. On Thu, Dec 4, 2008 at 1:31 AM, Baykal, Adnan (CSCIC) <adnan.baykal () cscic state ny us> wrote:
One thing quick is to use the XSS to steal visitor cookies and sessionids then do session hijacking. Or use jitko to scan internal systems. Also grossman described this approach recently. -------------------------------------------------------- This message may contain confidential information and is intended only for the individual(s) named. If you are not an intended recipient you are not authorized to disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this e-mail by mistake and delete this e-mail from your system. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Whitehat Sent: Wednesday, December 03, 2008 12:09 AM To: pen-test Subject: Exploiting XSS Dear List, I'm doing a WAPT for a website and found many XSS issues (both Stored and Reflected). I wanted to do more and show to the customer, apart from normal script injection and getting it popped up. Consider that u found an XSS issue in a field and your script is running, 1. Now what are the further steps for exploiting XSS completely???? 2. How an attacker can really make use of it? 3. How to Compromise ?? 4. What are the real world scenarios can be used Looking for few good inputs/imlementations/expolits/BooKs .............. Thanks in advance, Cheers, White hat ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Exploiting XSS Whitehat (Dec 03)
- RE: Exploiting XSS Baykal, Adnan (CSCIC) (Dec 03)
- Re: Exploiting XSS Anthony Cicalla (Dec 05)
- Re: Exploiting XSS NeZa (Dec 05)
- Re: Exploiting XSS Durga Prasad Adusumalli (Dec 05)
- Re: Exploiting XSS Danilo Nascimento (Dec 05)
- Re: Exploiting XSS Adriel T. Desautels (Dec 05)
- Message not available
- Re: Exploiting XSS Adriel T. Desautels (Dec 05)
- Re: Exploiting XSS Paul Melson (Dec 07)
- Re: Exploiting XSS Adriel T. Desautels (Dec 07)
- Re: Exploiting XSS xsp (Dec 07)
- Message not available
- RE: Exploiting XSS Baykal, Adnan (CSCIC) (Dec 03)
- <Possible follow-ups>
- Re: Exploiting XSS Ulisses Castro (thebug) (Dec 03)