Hello,
During a recent web pentest I found an input vulnerable to XSS. The developers have come back to me saying they resolved the issue, but upon retesting I found it still vulnerable to the following string: ";alert('XSS');//
Just for my own education, can anything malicious be done with such a string or is the extent of the damage a popup box (which is what I currently get).
Thank you,
Jason
Certainly more than popup boxes are possible :) I would advise checking
out the following articles which explain abuse cases for XSS.
XSS FAQ
[1] http://www.cgisecurity.com/xss-faq.html#whatare
Worms and malware section
[2] http://projects.webappsec.org/w/page/13246920/Cross-Site-Scripting
XSS wikipedia exploit scenarios section
[3] http://en.wikipedia.org/wiki/Cross-site_scripting#Exploit_scenarios
Regards,
Hello,
During a recent web pentest I found an input vulnerable to XSS. The developers have come back to me saying they resolved the issue, but upon retesting I found it still vulnerable to the following string:�";alert('XSS');//
Just for my own education, can anything malicious be done with such a string or is the extent of the damage a popup box (which is what I currently get).
Thank you,
Jason
It helps to know where the alert is being injected and executed within the page. However, yes, anytime you are able to inject arbitrary script and have it executed it is a doorway for an attacker to perform more advanced attacks. It's just a matter of understanding the attack vector and some trial and error.
Date: Thu, 23 Jun 2011 09:15:53 -0700
From: druryjason@yahoo.com
To: websecurity@lists.webappsec.org
Subject: [WEB SECURITY] XSS Question
Hello,
During a recent web pentest I found an input vulnerable to XSS. The developers have come back to me saying they resolved the issue, but upon retesting I found it still vulnerable to the following string: ";alert('XSS');//
Just for my own education, can anything malicious be done with such a string or is the extent of the damage a popup box (which is what I currently get).
Thank you,Jason
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi Jason,
too understand the real impact of XSS, meaning what you can really
obtain, except from Robert links
take also a look at BeEF (http://code.google.com/p/beef/). We are
developing a lot of cool ideas that can be done
exploiting even a simple reflected XSS (or DOM-based one).
Feel free to ask questions on our mailing lists (very low traffic).
Cheers
/antisnatchor
Jason Drury <mailto:druryjason@yahoo.com>
June 23, 2011 6:15 PM
Hello,
During a recent web pentest I found an input vulnerable to XSS. The
developers have come back to me saying they resolved the issue, but
upon retesting I found it still vulnerable to the following
string: ";alert('XSS');//
Just for my own education, can anything malicious be done with such a
string or is the extent of the damage a popup box (which is what I
currently get).
Thank you,
Jason
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Taking control over user browser (and eventually computer) using a XSS is not funny
Check XSSShell http://labs.portcullis.co.uk/application/xssshell/
There are some videos on the web showing where can you get with it.
Regards,
Juan C Calderon
-----Original Message-----
From: websecurity-bounces@lists.webappsec.org [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Robert A.
Sent: Thursday, June 23, 2011 11:22 AM
To: Jason Drury
Cc: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] XSS Question
Certainly more than popup boxes are possible :) I would advise checking out the following articles which explain abuse cases for XSS.
XSS FAQ
[1] http://www.cgisecurity.com/xss-faq.html#whatare
Worms and malware section
[2] http://projects.webappsec.org/w/page/13246920/Cross-Site-Scripting
XSS wikipedia exploit scenarios section
[3] http://en.wikipedia.org/wiki/Cross-site_scripting#Exploit_scenarios
Regards,
Hello,
During a recent web pentest I found an input vulnerable to XSS. The developers have come back to me saying they resolved the issue, but upon retesting I found it still vulnerable to the following string: ";alert('XSS');//
Just for my own education, can anything malicious be done with such a string or is the extent of the damage a popup box (which is what I currently get).
Thank you,
Jason
One of the things that BeEF can demonstrate, and which I also see used
for malicious purposes by other scripts, is to exploit unpatched
browsers and take control over the computer. So it's certainly worth fixing.
Give your developers the OWASP XSS Prevention Cheat Sheet:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Erlend
On 23.06.2011 18:48, Michele Orru wrote:
Hi Jason,
too understand the real impact of XSS, meaning what you can really
obtain, except from Robert links
take also a look at BeEF (http://code.google.com/p/beef/). We are
developing a lot of cool ideas that can be done
exploiting even a simple reflected XSS (or DOM-based one).
Feel free to ask questions on our mailing lists (very low traffic).
Cheers
/antisnatchor
Jason Drury <mailto:druryjason@yahoo.com>
June 23, 2011 6:15 PM
Hello,
During a recent web pentest I found an input vulnerable to XSS. The
developers have come back to me saying they resolved the issue, but
upon retesting I found it still vulnerable to the following
string: ";alert('XSS');//
Just for my own education, can anything malicious be done with such a
string or is the extent of the damage a popup box (which is what I
currently get).
Thank you,
Jason
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi Jason,
I guess you can customize the victim web application to another web
application for your own J
Regards
-Fonix Li
From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Erlend
Oftedal
Sent: Thursday, June 23, 2011 10:29 AM
To: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] XSS Question
One of the things that BeEF can demonstrate, and which I also see used
for malicious purposes by other scripts, is to exploit unpatched
browsers and take control over the computer. So it's certainly worth
fixing.
Give your developers the OWASP XSS Prevention Cheat Sheet:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Preventio
n_Cheat_Sheet
Erlend
On 23.06.2011 18:48, Michele Orru wrote:
Hi Jason,
too understand the real impact of XSS, meaning what you can really
obtain, except from Robert links
take also a look at BeEF (http://code.google.com/p/beef/). We are
developing a lot of cool ideas that can be done
exploiting even a simple reflected XSS (or DOM-based one).
Feel free to ask questions on our mailing lists (very low traffic).
Cheers
/antisnatchor
Jason Drury mailto:druryjason@yahoo.com
June 23, 2011 6:15 PM
Hello,
During a recent web pentest I found an input vulnerable to XSS. The
developers have come back to me saying they resolved the issue, but upon
retesting I found it still vulnerable to the following string:
";alert('XSS');//
Just for my own education, can anything malicious be done with such a
string or is the extent of the damage a popup box (which is what I
currently get).
Thank you,
Jason
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org
XSS with msf's autopwn feature and a bit of social engineering - boom you have a shell :)
Sorry for brevity, sent from my iPod,
Thanks,
Chintan
On 23-Jun-2011, at 9:45 PM, Jason Drury druryjason@yahoo.com wrote:
Hello,
During a recent web pentest I found an input vulnerable to XSS. The developers have come back to me saying they resolved the issue, but upon retesting I found it still vulnerable to the following string: ";alert('XSS');//
Just for my own education, can anything malicious be done with such a string or is the extent of the damage a popup box (which is what I currently get).
Thank you,
Jason
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi, Jason.
I recommend you Raul Siles presentation "Brower exploitation for fun and
profit", where he explains and shows how to take control of victim machines
using a combination of BeeF & Metasploit.
https://www.sans.org/webcasts/browser-exploitation-fun-profit-93868?ref=64223
http://www.slideshare.net/rootedcon/ral-siles-browser-exploitation-for-fun-and-profit-revolutions-rootedcon-2011
http://www.taddong.com/docs/Browser_Exploitation_for_Fun&Profit_Revolutions_Taddong-RaulSiles_RootedCon-2011.pdf
Regards,
Alberto
2011/6/23 Chintan Dave davechintan@gmail.com
XSS with msf's autopwn feature and a bit of social engineering - boom you
have a shell :)
Sorry for brevity, sent from my iPod,
Thanks,
Chintan
On 23-Jun-2011, at 9:45 PM, Jason Drury druryjason@yahoo.com wrote:
Hello,
During a recent web pentest I found an input vulnerable to XSS. The
developers have come back to me saying they resolved the issue, but upon
retesting I found it still vulnerable to the following
string: ";alert('XSS');//
Just for my own education, can anything malicious be done with such a
string or is the extent of the damage a popup box (which is what I currently
get).
Thank you,
Jason
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Alberto Cuesta, CISSP, GCIH
Project Manager & Technical Security Consultant
Hello Jason,
Go to Exploit-DB, and enter the "Blog" section. Read the entry titled: "vbSEO - From XSS to Reverse PHP Shell". That blog entry really shows how powerful XSS can be, and in this case it's persistent (stored).
But if it had been non-persistent (reflected), then you would just've had to lure the administrator, to click a maliciusly crafted link.
There's a youtube video (link) in the bottom of the blog entry along with a link to the tool I used / developed.
Remember, it's only your own imagination and skills that limits a XSS attack. Of course there are browser limitations as well, but you can use java and flash too! Anything a browser can run / do, is potentially possible with XSS.
If you can't use certain tags, functions etc. Use encoding! E.g., /* The XSSOR */ which you can find here! Http://intern0t.net/xssor/
Last but not least I recommend you read "The Beginners Guide to XSS". It's located on various sites, including but not limited to xssed.com (articles) and exploit-db.com (papers)
Good luck on your XSS journey!
Best regards,
MaXe
----- Original meddelelse -----
Hello,
During a recent web pentest I found an input vulnerable to XSS. The
developers have come back to me saying they resolved the issue, but upon
retesting I found it still vulnerable to the following string:
";alert('XSS');//
Just for my own education, can anything malicious be done with such a
string or is the extent of the damage a popup box (which is what I
currently get).
Thank you,
Jason