MaXe owasp at intern0t.net
Sun Jun 26 14:10:20 EDT 2011

Hello Jason,

Go to Exploit-DB, and enter the "Blog" section. Read the entry titled: "vbSEO - From XSS to Reverse PHP Shell". That blog entry really shows how powerful XSS can be, and in this case it's persistent (stored).

But if it had been non-persistent (reflected), then you would just've had to lure the administrator, to click a maliciusly crafted link.

There's a youtube video (link) in the bottom of the blog entry along with a link to the tool I used / developed.

Remember, it's only your own imagination and skills that limits a XSS attack. Of course there are browser limitations as well, but you can use java and flash too! Anything a browser can run / do, is potentially possible with XSS.

If you can't use certain tags, functions etc. Use encoding! E.g., /* The XSSOR */ which you can find here! Http://intern0t.net/xssor/

Last but not least I recommend you read "The Beginners Guide to XSS". It's located on various sites, including but not limited to xssed.com (articles) and exploit-db.com (papers)

Good luck on your XSS journey!

Best regards,
----- Original meddelelse -----
> Hello,
> During a recent web pentest I found an input vulnerable to XSS. The
> developers have come back to me saying they resolved the issue, but upon
> retesting I found it still vulnerable to the following string:
>  \";alert('XSS');//
> Just for my own education, can anything malicious be done with such a
> string or is the extent of the damage a popup box (which is what I
> currently get).
> Thank you,
> Jason

More information about the websecurity mailing list