[WEB SECURITY] XSS Question

Calderon, Juan Carlos (GE, Corporate, consultant) juan.calderon at ge.com
Thu Jun 23 12:49:10 EDT 2011


Taking control over user browser (and eventually computer) using a XSS is not funny

Check XSSShell http://labs.portcullis.co.uk/application/xssshell/

There are some videos on the web showing where can you get with it.

Regards,
Juan C Calderon

-----Original Message-----
From: websecurity-bounces at lists.webappsec.org [mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of Robert A.
Sent: Thursday, June 23, 2011 11:22 AM
To: Jason Drury
Cc: websecurity at lists.webappsec.org
Subject: Re: [WEB SECURITY] XSS Question


Certainly more than popup boxes are possible :) I would advise checking out the following articles which explain abuse cases for XSS.

XSS FAQ
[1] http://www.cgisecurity.com/xss-faq.html#whatare

Worms and malware section
[2] http://projects.webappsec.org/w/page/13246920/Cross-Site-Scripting

XSS wikipedia exploit scenarios section
[3] http://en.wikipedia.org/wiki/Cross-site_scripting#Exploit_scenarios

Regards,
- Robert
http://www.webappsec.org/
http://www.qasec.com/


> Hello,

During a recent web pentest I found an input vulnerable to XSS. The developers have come back to me saying they resolved the issue, but upon retesting I found it still vulnerable to the following string: \";alert('XSS');//

Just for my own education, can anything malicious be done with such a string or is the extent of the damage a popup box (which is what I currently get).

Thank you,
Jason




More information about the websecurity mailing list