Penetration Testing mailing list archives
Re: Odd XSS Exploit
From: "kevin horvath" <kevin.horvath () gmail com>
Date: Tue, 6 May 2008 16:48:01 -0400
This is not related to XSS but to input validation. It looks like it doesn't know what to do with the %27 which is a ' mark. Since its a username field and it doesn't like the ' mark you should look more at sql injection and the logic processing of the application. On Sat, May 3, 2008 at 1:02 AM, arvind doraiswamy <arvind.doraiswamy () gmail com> wrote:
You want to elaborate a bit more on this? My feel is that the fact that it gave you a session error back meant that you were already logged in to the application. Then you intrcepted or somehow did the XSS bit upon which the app detected you had messed around with the variables and threw you out. You then killed Firefox which should have destroyed the session as well but for some reason did not. Most probably because there is some kind of "remember me " feature in the application which is storing session state somewhere(maybe a cookie??) or the page what you see is cached and there's no real connection happening to the server when you go to that page again. This sounds possible as well because a "logged in user" page if it has static content might not change and is cached. That is a problem but its not an XSS problem. If I've misunderstood please post back. Cheers Arvind On Thu, May 1, 2008 at 7:59 AM, <guinness.stout () gmail com> wrote: > I was hoping someone could shed some light on this odd XSS > > vulnerability I uncovered while doing a pentest for a client. The > > site is a customer portal and when the below XSS is executed nothing > > happens. Basically gives a session error back, nothing interesting > > there. But when you kill -9 or End Process on FireFox then reopen > > with "Restore Session" the site comes back up to the XSS but dumps > > logged in users information. > > > I cannot replicate this in other browsers nor with Paros, webscarab, SPIKE etc. > > > https://host/portal/j_acegi_security_check?j_username=%27%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&j_password=d&login=Login > > > -Chris > > ------------------------------------------------------------------------ > This list is sponsored by: Cenzic > > Need to secure your web apps NOW? > Cenzic finds more, "real" vulnerabilities fast. > Click to try it, buy it or download a solution FREE today! > > http://www.cenzic.com/downloads > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Odd XSS Exploit guinness . stout (May 01)
- Re: Odd XSS Exploit arvind doraiswamy (May 05)
- Re: Odd XSS Exploit kevin horvath (May 06)
- Re: Odd XSS Exploit arvind doraiswamy (May 05)