Penetration Testing mailing list archives

Re: Odd XSS Exploit

From: "kevin horvath" <kevin.horvath () gmail com>
Date: Tue, 6 May 2008 16:48:01 -0400

This is not related to XSS but to input validation.  It looks like it
doesn't know what to do with the %27 which is a ' mark.  Since its a
username field and it doesn't like the ' mark you should look more at
sql injection and the logic processing of the application.

On Sat, May 3, 2008 at 1:02 AM, arvind doraiswamy
<arvind.doraiswamy () gmail com> wrote:

You want to elaborate a bit more on this? My feel is that the fact
 that it gave you  a session error back meant that you were already
 logged in to the application. Then you intrcepted or somehow did the
 XSS bit upon which the app detected you had messed around with the
 variables and threw you out. You then killed Firefox which should have
 destroyed the session as well but for some reason did not. Most
 probably because there is some kind of "remember me " feature in the
 application which is storing session state somewhere(maybe a cookie??)
 or the page what you see is cached and there's no real connection
 happening to the server when you go to that page again. This sounds
 possible as well because a "logged in user" page if it has static
 content might not change and is cached. That is a problem but its not
 an XSS problem.

 If I've misunderstood please post back.

 Cheers
 Arvind

 On Thu, May 1, 2008 at 7:59 AM,  <guinness.stout () gmail com> wrote:
 > I was hoping someone could shed some light on this odd XSS
 >
 >  vulnerability I uncovered while doing a pentest for a client.  The
 >
 >  site is a customer portal and when the below XSS is executed nothing
 >
 >  happens.  Basically gives a session error back, nothing interesting
 >
 >  there.  But when you kill -9 or End Process on FireFox then reopen
 >
 >  with "Restore Session" the site comes back up to the XSS but dumps
 >
 >  logged in users information.
 >
 >
 >  I cannot replicate this in other browsers nor with Paros, webscarab, SPIKE etc.
 >
 >
 >  
https://host/portal/j_acegi_security_check?j_username=%27%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&j_password=d&login=Login
 >
 >
 >  -Chris
 >
 >  ------------------------------------------------------------------------
 >  This list is sponsored by: Cenzic
 >
 >  Need to secure your web apps NOW?
 >  Cenzic finds more, "real" vulnerabilities fast.
 >  Click to try it, buy it or download a solution FREE today!
 >
 >  http://www.cenzic.com/downloads
 >  ------------------------------------------------------------------------
 >
 >

 ------------------------------------------------------------------------
 This list is sponsored by: Cenzic

 Need to secure your web apps NOW?
 Cenzic finds more, "real" vulnerabilities fast.
 Click to try it, buy it or download a solution FREE today!

 http://www.cenzic.com/downloads
 ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Odd XSS Exploit guinness . stout (May 01)
- Re: Odd XSS Exploit arvind doraiswamy (May 05)
  - Re: Odd XSS Exploit kevin horvath (May 06)