Chintan Dave davechintan at gmail.com
Thu Jun 23 15:16:35 EDT 2011

XSS with msf's autopwn feature and a bit of social engineering - boom you have a shell :)

Sorry for brevity, sent from my iPod,


On 23-Jun-2011, at 9:45 PM, Jason Drury <druryjason at yahoo.com> wrote:

> Hello,
> During a recent web pentest I found an input vulnerable to XSS. The developers have come back to me saying they resolved the issue, but upon retesting I found it still vulnerable to the following string: \";alert('XSS');//
> Just for my own education, can anything malicious be done with such a string or is the extent of the damage a popup box (which is what I currently get).
> Thank you,
> Jason
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110624/63c41bd2/attachment-0003.html>

More information about the websecurity mailing list