[WEB SECURITY] Re: Odd XSS Exploit

Arian J. Evans arian.evans at anachronic.com
Wed May 7 13:08:12 EDT 2008


I've seen this before. Will the JS also execute if you do a refresh, or a
ctrl/shift + refresh? I suspect so.

Snip all the places the alert lands in the code, and past them to the list.

It's probably the way the DOM is built, or the order it lands in a value in
the page. FF also has a couple of weird parser issues regarding JS,
that reminds me, we need to publish....

You'll get more response on these from the WASC webappsec list
on something like XSS exploitation and browser behaviors.

In fact, I don't think I can even reply to the SF pen-test list these days.

-ae


On Wed, Apr 30, 2008 at 7:29 PM,  <guinness.stout at gmail.com> wrote:
> I was hoping someone could shed some light on this odd XSS
>
>  vulnerability I uncovered while doing a pentest for a client.  The
>
>  site is a customer portal and when the below XSS is executed nothing
>
>  happens.  Basically gives a session error back, nothing interesting
>
>  there.  But when you kill -9 or End Process on FireFox then reopen
>
>  with "Restore Session" the site comes back up to the XSS but dumps
>
>  logged in users information.
>
>
>
>  I cannot replicate this in other browsers nor with Paros, webscarab, SPIKE etc.
>
>
>
>  https://host/portal/j_acegi_security_check?j_username=%27%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&j_password=d&login=Login
>
>
>
>  -Chris
>
>  ------------------------------------------------------------------------
>  This list is sponsored by: Cenzic
>
>  Need to secure your web apps NOW?
>  Cenzic finds more, "real" vulnerabilities fast.
>  Click to try it, buy it or download a solution FREE today!
>
>  http://www.cenzic.com/downloads
>  ------------------------------------------------------------------------
>
>



-- 
-- 
Arian J. Evans.

I spend most of my money on motorcycles, mistresses, and martinis. The
rest of it I squander.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list