I have found a website with an XSS vulnerability in a field that can't be accessed from a URL like the example below;

www.example.com/search.php?a=xssHere

The XSS vulnerability only works if I manually type in the script into the field.
How do I make it possible to link others to a page with the XSS included (submitted)?

When the search button is clicked, the page gets updated with the search data from a 'call_ajax' function, so the page doesn't get refreshed. Is this still exploitable?



Edited 1 time(s). Last edit at 06/09/2009 11:01AM by Gobo.

Try working with images - the browser will attempt to load them even if the content came in via Ajax providing you load and error events.

.mario Wrote:
-------------------------------------------------------
> Try working with images - the browser will attempt
> to load them even if the content came in via Ajax
> providing you load and error events.

I think you misunderstood me. My problem is not with finding an XSS vector, it's with somehow getting that XSS'd page to display for other users. My problem is that the search field can't be submitted from the URL like a normal XSS attack where a crafted URL is given to a victim (shown in my example), so I'm looking for alternatives.



Edited 1 time(s). Last edit at 06/09/2009 01:18PM by Gobo.

@Gobo

Try using a iframe to the target site and overlaying the target area and then social engineering to click the button. I presume the button is activated with a javascript event rather than a post or get action. You need to be able to provide content either stored or reflected in some form to conduct an attack.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

ignore my post below, i was dumb and didnt read everything about the ajax

-------

are u talking about POST vs GET?

see if you can see what the search value is, and setting it in the URL. that sometimes work
ex: hxxp://site.com/search.php?s="><script>alert(1);</script>

or you can setup a free site somewhere, and do an automatic form submission
<body onload=Form.form1.submit()>
<form method=post action=http://site.com/search.php>
<input type=hidden name=search value='"><script>alert(1);</script>
<input type=submit>
</form>

then send them the url to your free site
http://freesite.com/evil.html

and boom they are xssed


i hope thats what you are trying to do

http://www.xssed.com/archive/author=PaPPy/



Edited 2 time(s). Last edit at 06/09/2009 03:06PM by PaPPy.

http://wocares.com/pf3.php

Gobo have you managed to include the script in that page?

I have a similar problem where everything works fine just when introduced manually.

The link doesn't change when the <script> is added to the Search; it has javascript:executeSearch().

Thx.



Edited 1 time(s). Last edit at 02/16/2010 09:51AM by bobku.