From: Mr. The Brain (slack3r@boy-genius.net)
Date: Wed Dec 11 2002 - 01:34:10 EST
Thus spake John Madden <chiwawa999@yahoo.com> On Sat, 7 Dec 2002
06:36:17 -0800 (PST):
> Hello all,
[clip]
> What is the real vulnerability if the site in
> questions is vulnerable to XSS but does not let you
> write any malicious scripts on the system, like
> message board, forums etc... ? Can anything be done to
> exploit XSS if the above scenario occurs ? I know it
> depends on the web server, packages installed etc...
> I'm asking in generaly is it possible ?
Here's one possibility, if the script that's vulnerable to the XSS
attack is using an HTTP GET method for input gathering, you can throw in
all your javascript as part of the href in an anchor tag, so that it's
not as easily noticeable, and send the link to an unwary user. Then make
the javascript send you their document.cookie. For instance,
(A href="stupid_site.com/stupid.asp?var=<script>alert('xss');</script>")
Fun and perfectly harmless link! (/a)
Send that to someone in an HTML email, AOL IM conversation, etc. and
you'll probably get many unwary/ignorant people.
However, if stupid.asp uses an HTTP POST, you can just make a little
page on a website with a form that exploits it through hidden values, as
such,
(input type="hidden" name="var" value="<script>alert('xss');</script>")
which would be harder to detect. And, if you're feeling creative,
you could even make it non-hidden, and add a javascript function to
change the value of the input to whatever you want with an onSubmit
trigger.
Just my thoughts on the issue. XSS is a lot of fun :-P. Best of luck.
-Bryan
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:26 EDT