Certainly more than popup boxes are possible :) I would advise checking
out the following articles which explain abuse cases for XSS.

XSS FAQ
[1] http://www.cgisecurity.com/xss-faq.html#whatare

Worms and malware section
[2] http://projects.webappsec.org/w/page/13246920/Cross-Site-Scripting

XSS wikipedia exploit scenarios section
[3] http://en.wikipedia.org/wiki/Cross-site_scripting#Exploit_scenarios

Regards,

• Robert
  http://www.webappsec.org/
  http://www.qasec.com/

During a recent web pentest I found an input vulnerable to XSS. The developers have come back to me saying they resolved the issue, but upon retesting I found it still vulnerable to the following string:�";alert('XSS');//

Just for my own education, can anything malicious be done with such a string or is the extent of the damage a popup box (which is what I currently get).

Thank you,
Jason

Hi Jason,

too understand the real impact of XSS, meaning what you can really
obtain, except from Robert links
take also a look at BeEF (http://code.google.com/p/beef/). We are
developing a lot of cool ideas that can be done
exploiting even a simple reflected XSS (or DOM-based one).

Feel free to ask questions on our mailing lists (very low traffic).

Cheers
/antisnatchor

Taking control over user browser (and eventually computer) using a XSS is not funny

Check XSSShell http://labs.portcullis.co.uk/application/xssshell/

There are some videos on the web showing where can you get with it.

Regards,
Juan C Calderon

-----Original Message-----
From: websecurity-bounces@lists.webappsec.org [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Robert A.
Sent: Thursday, June 23, 2011 11:22 AM
To: Jason Drury
Cc: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] XSS Question

Certainly more than popup boxes are possible :) I would advise checking out the following articles which explain abuse cases for XSS.

XSS FAQ
[1] http://www.cgisecurity.com/xss-faq.html#whatare

Worms and malware section
[2] http://projects.webappsec.org/w/page/13246920/Cross-Site-Scripting

XSS wikipedia exploit scenarios section
[3] http://en.wikipedia.org/wiki/Cross-site_scripting#Exploit_scenarios

Regards,

• Robert
  http://www.webappsec.org/
  http://www.qasec.com/

During a recent web pentest I found an input vulnerable to XSS. The developers have come back to me saying they resolved the issue, but upon retesting I found it still vulnerable to the following string: ";alert('XSS');//

Just for my own education, can anything malicious be done with such a string or is the extent of the damage a popup box (which is what I currently get).

Thank you,
Jason

One of the things that BeEF can demonstrate, and which I also see used
for malicious purposes by other scripts, is to exploit unpatched
browsers and take control over the computer. So it's certainly worth fixing.
Give your developers the OWASP XSS Prevention Cheat Sheet:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

Erlend

On 23.06.2011 18:48, Michele Orru wrote:

XSS with msf's autopwn feature and a bit of social engineering - boom you have a shell :)

Sorry for brevity, sent from my iPod,

Thanks,
Chintan

On 23-Jun-2011, at 9:45 PM, Jason Drury druryjason@yahoo.com wrote:

Hi, Jason.

I recommend you Raul Siles presentation "Brower exploitation for fun and
profit", where he explains and shows how to take control of victim machines
using a combination of BeeF & Metasploit.

https://www.sans.org/webcasts/browser-exploitation-fun-profit-93868?ref=64223
http://www.slideshare.net/rootedcon/ral-siles-browser-exploitation-for-fun-and-profit-revolutions-rootedcon-2011
http://www.taddong.com/docs/Browser_Exploitation_for_Fun&Profit_Revolutions_Taddong-RaulSiles_RootedCon-2011.pdf

Regards,
Alberto

2011/6/23 Chintan Dave davechintan@gmail.com

--
Alberto Cuesta, CISSP, GCIH
Project Manager & Technical Security Consultant

Hello Jason,

Go to Exploit-DB, and enter the "Blog" section. Read the entry titled: "vbSEO - From XSS to Reverse PHP Shell". That blog entry really shows how powerful XSS can be, and in this case it's persistent (stored).

But if it had been non-persistent (reflected), then you would just've had to lure the administrator, to click a maliciusly crafted link.

There's a youtube video (link) in the bottom of the blog entry along with a link to the tool I used / developed.

Remember, it's only your own imagination and skills that limits a XSS attack. Of course there are browser limitations as well, but you can use java and flash too! Anything a browser can run / do, is potentially possible with XSS.

If you can't use certain tags, functions etc. Use encoding! E.g., /* The XSSOR */ which you can find here! Http://intern0t.net/xssor/

Last but not least I recommend you read "The Beginners Guide to XSS". It's located on various sites, including but not limited to xssed.com (articles) and exploit-db.com (papers)

Good luck on your XSS journey!

Best regards,
MaXe
----- Original meddelelse -----