Penetration Testing mailing list archives

Re: Odd XSS Exploit

From: "arvind doraiswamy" <arvind.doraiswamy () gmail com>
Date: Sat, 3 May 2008 10:32:46 +0530

You want to elaborate a bit more on this? My feel is that the fact
that it gave you  a session error back meant that you were already
logged in to the application. Then you intrcepted or somehow did the
XSS bit upon which the app detected you had messed around with the
variables and threw you out. You then killed Firefox which should have
destroyed the session as well but for some reason did not. Most
probably because there is some kind of "remember me " feature in the
application which is storing session state somewhere(maybe a cookie??)
or the page what you see is cached and there's no real connection
happening to the server when you go to that page again. This sounds
possible as well because a "logged in user" page if it has static
content might not change and is cached. That is a problem but its not
an XSS problem.

If I've misunderstood please post back.

Cheers
Arvind

On Thu, May 1, 2008 at 7:59 AM,  <guinness.stout () gmail com> wrote:

I was hoping someone could shed some light on this odd XSS

 vulnerability I uncovered while doing a pentest for a client.  The

 site is a customer portal and when the below XSS is executed nothing

 happens.  Basically gives a session error back, nothing interesting

 there.  But when you kill -9 or End Process on FireFox then reopen

 with "Restore Session" the site comes back up to the XSS but dumps

 logged in users information.


 I cannot replicate this in other browsers nor with Paros, webscarab, SPIKE etc.


 
https://host/portal/j_acegi_security_check?j_username=%27%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&j_password=d&login=Login


 -Chris

 ------------------------------------------------------------------------
 This list is sponsored by: Cenzic

 Need to secure your web apps NOW?
 Cenzic finds more, "real" vulnerabilities fast.
 Click to try it, buy it or download a solution FREE today!

 http://www.cenzic.com/downloads
 ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Odd XSS Exploit guinness . stout (May 01)
- Re: Odd XSS Exploit arvind doraiswamy (May 05)
  - Re: Odd XSS Exploit kevin horvath (May 06)