Author Topic: XSS Vulnerability Question  (Read 2976 times)

0 Members and 2 Guests are viewing this topic.

Offline PiZZ4

  • Serf
  • *
  • Posts: 26
  • Cookies: 2
    • View Profile
XSS Vulnerability Question
« on: September 11, 2011, 09:14:48 pm »
I'm sort of a noob when it comes to XSS vulnerabilities, so here is a noob question:

Lets say if you have found a xss vulnerability on a website, what can you do with it?

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: XSS Vulnerability Question
« Reply #1 on: September 11, 2011, 09:32:39 pm »
I guess nothing. Unless it's an persistent one.

Offline Satori

  • Peasant
  • *
  • Posts: 88
  • Cookies: 3
    • View Profile
Re: XSS Vulnerability Question
« Reply #2 on: September 11, 2011, 09:54:22 pm »
I guess nothing. Unless it's an persistent one.
And this isnt true.
You could make a cookie grabber and send the xxs vulnerable link to victims for example.


Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
Re: XSS Vulnerability Question
« Reply #3 on: September 11, 2011, 10:01:38 pm »
You can do whatever you want. Exploit a browser bug, steal credentials, use browsers as zombies.
If is persistent, so much easier. If not, also exploitable (more likely targeted attacks).
For an example, look for the Beef framework.

Offline gh0st

  • Sir
  • ***
  • Posts: 575
  • Cookies: 8
  • #DEDSec
    • View Profile
Re: XSS Vulnerability Question
« Reply #4 on: September 11, 2011, 10:25:18 pm »
you can steal the credentials of some1 if he/she clicks the link or visit the exploit
http://www.youtube.com/watch?v=WZCXIrW0xZ0
http://www.youtube.com/watch?v=JBpG2fie_aA&feature=related
thanx to infinity exists
I know a bit the teory but Ive never done it before

Offline FuyuKitsune

  • Knight
  • **
  • Posts: 292
  • Cookies: 21
    • View Profile
Re: XSS Vulnerability Question
« Reply #5 on: September 12, 2011, 01:41:19 am »
Insert Javascript to the page. Sometimes it's a bit difficult with the filters, basic PHP filters may require some code maneuvering, but it's easy enough to run Javascript or link to a JS file. Last time I did an XSS I did JS to change the background image to a dancing banana.

Offline PiZZ4

  • Serf
  • *
  • Posts: 26
  • Cookies: 2
    • View Profile
Re: XSS Vulnerability Question
« Reply #6 on: September 13, 2011, 05:49:05 pm »
You can do whatever you want. Exploit a browser bug, steal credentials, use browsers as zombies.
If is persistent, so much easier. If not, also exploitable (more likely targeted attacks).
For an example, look for the Beef framework.

It's defiantly persistent, I've double checked just to make sure it was.

[/quote]Insert Javascript to the page. Sometimes it's a bit difficult with the filters, basic PHP filters may require some code maneuvering, but it's easy enough to run Javascript or link to a JS file. Last time I did an XSS I did JS to change the background image to a dancing banana.[/quote]

Now that is interesting, I guess I'll have to look into that.

Offline FuyuKitsune

  • Knight
  • **
  • Posts: 292
  • Cookies: 21
    • View Profile
Re: XSS Vulnerability Question
« Reply #7 on: September 13, 2011, 06:30:07 pm »
Now that is interesting, I guess I'll have to look into that.
It has to be a .js file. I spend a long time screwing up because I was trying to run .txt extensions and extensionless files in HTML.

iMorg

  • Guest
Re: XSS Vulnerability Question
« Reply #8 on: September 14, 2011, 09:02:02 am »
Session Hijacking.

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: XSS Vulnerability Question
« Reply #9 on: September 14, 2011, 02:40:23 pm »
Session Hijacking.

That would be the same as cookie grabbing.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline noob

  • Knight
  • **
  • Posts: 202
  • Cookies: 29
    • View Profile
Re: XSS Vulnerability Question
« Reply #10 on: September 14, 2011, 04:50:48 pm »
Code: [Select]
http://rapidshare.com/files/129854305/www_GoonWarez_com_1213375552.zip