Penetration Testing mailing list archives
Re: Exploiting XSS
From: Ti <tabacco2000 () alice it>
Date: Fri, 12 Dec 2008 18:02:53 +0100
Whitehat wrote:
I wanted to do more and show to the customer, apart from normal script injection and getting it popped up.
IMHO you need a good knowledge of client side scripting languages especially in javascript to do more and more. May be also creativity. Anyway there are tools that can help you for special effects: BeFF http://www.bindshell.net/tools/beef/ Anehta http://code.google.com/p/anehta/ The first is prensent in BackTrack if you like it. I have never tried the second...
2. How an attacker can really make use of it?
An example of the power of xss is Samy, an xss virus. In less than 24 hours it infected more than one million users. Nice. http://namb.la/popular/tech.html In any case, to understand what you can do try to respond to this question: "what can I do if I can inject some arbitrary client side code?".
3. How to Compromise ??
In some cases you can compromise the client, but not the server because xss is a client side attack, of course :-) You should think of xss as the thing that helps you to spread your client side attacks. So to compromise you need also a great browser vuln.
Looking for few good inputs/imlementations/expolits/BooKs ..............
Some nice papers are: - Cross Site Scripting Virus (http://www.bindshell.net/papers/xssv/) - XSS Tunnelling (http://www.portcullis-security.com/uplds/whitepapers/XSSTunnelling.pdf) - I.P. Exploitation (http://www.ngssoftware.com/research/papers/InterProtocolExploitation.pdf) ciao, Francesco Matarazzo ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Re: Exploiting XSS, (continued)
- Re: Exploiting XSS NeZa (Dec 05)
- Re: Exploiting XSS Durga Prasad Adusumalli (Dec 05)
- Re: Exploiting XSS Danilo Nascimento (Dec 05)
- Re: Exploiting XSS Adriel T. Desautels (Dec 05)
- Message not available
- Re: Exploiting XSS Adriel T. Desautels (Dec 05)
- Re: Exploiting XSS Paul Melson (Dec 07)
- Re: Exploiting XSS Adriel T. Desautels (Dec 07)
- Re: Exploiting XSS xsp (Dec 07)
- Message not available