EvilZone

Hacking and Security => Hacking and Security => Topic started by: PiZZ4 on September 11, 2011, 09:14:48 PM

Title: XSS Vulnerability Question
Post by: PiZZ4 on September 11, 2011, 09:14:48 PM: I'm sort of a noob when it comes to XSS vulnerabilities, so here is a noob question:

Lets say if you have found a xss vulnerability on a website, what can you do with it?
Title: Re: XSS Vulnerability Question
Post by: Kulverstukas on September 11, 2011, 09:32:39 PM: I guess nothing. Unless it's an persistent one.
Title: Re: XSS Vulnerability Question
Post by: Satori on September 11, 2011, 09:54:22 PM: Quote from: Kulverstukas on September 11, 2011, 09:32:39 PM
I guess nothing. Unless it's an persistent one.
And this isnt true.
You could make a cookie grabber and send the xxs vulnerable link to victims for example.
Title: Re: XSS Vulnerability Question
Post by: ca0s on September 11, 2011, 10:01:38 PM: You can do whatever you want. Exploit a browser bug, steal credentials, use browsers as zombies.
If is persistent, so much easier. If not, also exploitable (more likely targeted attacks).
For an example, look for the Beef framework.
Title: Re: XSS Vulnerability Question
Post by: gh0st on September 11, 2011, 10:25:18 PM: you can steal the credentials of some1 if he/she clicks the link or visit the exploit
http://www.youtube.com/watch?v=WZCXIrW0xZ0 (http://www.youtube.com/watch?v=WZCXIrW0xZ0)
http://www.youtube.com/watch?v=JBpG2fie_aA&feature=related (http://www.youtube.com/watch?v=JBpG2fie_aA&feature=related)
thanx to infinity exists
I know a bit the teory but Ive never done it before
Title: Re: XSS Vulnerability Question
Post by: FuyuKitsune on September 12, 2011, 01:41:19 AM: Insert Javascript to the page. Sometimes it's a bit difficult with the filters, basic PHP filters may require some code maneuvering, but it's easy enough to run Javascript or link to a JS file. Last time I did an XSS I did JS to change the background image to a dancing banana.
Title: Re: XSS Vulnerability Question
Post by: PiZZ4 on September 13, 2011, 05:49:05 PM: Quote from: ca0s on September 11, 2011, 10:01:38 PM
You can do whatever you want. Exploit a browser bug, steal credentials, use browsers as zombies.
If is persistent, so much easier. If not, also exploitable (more likely targeted attacks).
For an example, look for the Beef framework.

It's defiantly persistent, I've double checked just to make sure it was.

[/quote]Insert Javascript to the page. Sometimes it's a bit difficult with the filters, basic PHP filters may require some code maneuvering, but it's easy enough to run Javascript or link to a JS file. Last time I did an XSS I did JS to change the background image to a dancing banana.[/quote]

Now that is interesting, I guess I'll have to look into that.
Title: Re: XSS Vulnerability Question
Post by: FuyuKitsune on September 13, 2011, 06:30:07 PM: Quote from: PiZZ4 on September 13, 2011, 05:49:05 PM
Now that is interesting, I guess I'll have to look into that.
It has to be a .js file. I spend a long time screwing up because I was trying to run .txt extensions and extensionless files in HTML.
Title: Re: XSS Vulnerability Question
Post by: iMorg on September 14, 2011, 09:02:02 AM: Session Hijacking.
Title: Re: XSS Vulnerability Question
Post by: ande on September 14, 2011, 02:40:23 PM: Quote from: iMorg on September 14, 2011, 09:02:02 AM
Session Hijacking.

That would be the same as cookie grabbing.
Title: Re: XSS Vulnerability Question
Post by: noob on September 14, 2011, 04:50:48 PM: Code: [Select]
http://rapidshare.com/files/129854305/www_GoonWarez_com_1213375552.zip
(http://books.gigaimg.com/avaxhome/avaxhome/2007-05-12/1597491543.jpg)