[WEB SECURITY] websecurity Digest, Vol 38, Issue 8

Seth Art sethsec at gmail.com
Wed Feb 5 15:59:05 EST 2014


I assume we are talking about a reflected XSS vuln, correct?

Most of the time, you can submit what was originally a POST request as a
GET request. The easiest way is to use an interception proxy.  In Burp
Repeater, you can do this with a simple right click: ("Change request
Method"), but really all it involves is changing the HTTP VERB from POST to
GET, moving the paramters from the BODY to the URI, and removing the
Content-Length Header.

In your proxy, it will look like this:

Before:
------------------------------------------------
POST /index.html HTTP/1.1
[Other headers]
Content-Length: 21

param1=abc&param2=<xss here>

------------------------------------------------


After:
------------------------------------------------
GET /index.html?param1=abc&param2=<xss here> HTTP/1.1
[Other headers]
------------------------------------------------

But if you want to illustrate the danger of sending a hyperlink to someone
else, you just covert it to:

http://www.example.com/index.html?param1=abc&param2=<xss here>


If reflected XSS, and the web server or the web application really does
only accept the vulnerable input in a POST request, your only hope left,
AFAIK, is to combine it with a CSRF.

Of course if it is a stored XSS, you should be able to submit it as a POST
without an issue.

Hope this helps,

Seth


On Tue, Feb 4, 2014 at 5:06 PM, rishabh gupta <ims2012074 at gmail.com> wrote:

> can any body tell that
> how to exploit XSS when method="post"
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20140205/2b8ed6c5/attachment.html>


More information about the websecurity mailing list