[WEB SECURITY] XSS Question

Fonix Li Fonix.Li at webex.com
Thu Jun 23 13:39:11 EDT 2011


Hi Jason,

I guess you can customize the victim web application to another web
application for your own J

 

Regards

-Fonix Li

From: websecurity-bounces at lists.webappsec.org
[mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of Erlend
Oftedal
Sent: Thursday, June 23, 2011 10:29 AM
To: websecurity at lists.webappsec.org
Subject: Re: [WEB SECURITY] XSS Question

 

One of the things that BeEF can demonstrate, and which I also see used
for malicious purposes by other scripts, is to exploit unpatched
browsers and take control over the computer. So it's certainly worth
fixing.
Give your developers the OWASP XSS Prevention Cheat Sheet:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Preventio
n_Cheat_Sheet

Erlend

On 23.06.2011 18:48, Michele Orru wrote: 

Hi Jason,

too understand the real impact of XSS, meaning what you can really
obtain, except from Robert links
take also a look at BeEF (http://code.google.com/p/beef/). We are
developing a lot of cool ideas that can be done
exploiting even a simple reflected XSS (or DOM-based one).

Feel free to ask questions on our mailing lists (very low traffic).

Cheers
/antisnatchor




________________________________

 

 

Jason Drury <mailto:druryjason at yahoo.com> 
June 23, 2011 6:15 PM





Hello,

 

During a recent web pentest I found an input vulnerable to XSS. The
developers have come back to me saying they resolved the issue, but upon
retesting I found it still vulnerable to the following string:
\";alert('XSS');//

 

Just for my own education, can anything malicious be done with such a
string or is the extent of the damage a popup box (which is what I
currently get).


Thank you,

Jason

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org

 
 
_______________________________________________
The Web Security Mailing List
 
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
 
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
 
WASC on Twitter
http://twitter.com/wascupdates
 
websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110623/608a361a/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 1421 bytes
Desc: image001.jpg
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110623/608a361a/attachment.jpg>


More information about the websecurity mailing list