Let's assume I can create a persistent xss attack that checks the browser and implements the XHR object. Using this I can execute asynchronous attacks back to the server.

Now heres the questions:
1) can I scan the site to find valid pages to request or do I have to know the name of the page/url being requested?

2) assuming a request for a page succeeded (readystate ==4 and status==200) can I then load that result into an object/variable and send it to another location/domain for logging or retrieval?

I'm looking into creating a proof of concept for my company on what can be exploited by implementing the XHR object.



Edited 1 time(s). Last edit at 11/15/2006 10:41AM by sjensen.

Actually, with a little research and testing I was able to answer my own questions.

yes and yes..

1.) have a look at pdp's javascript spider http://www.gnucitizen.org/projects/javascript-spider/launch.htm . That actually works without even needing to be on the same domain. but basically you spider the site by pulling a page then parsing out all href="blah". Only keep the ones on the same domain.

2.) this sends it to a function of your choice defined by callBack = "sendPage";

  request.onreadystatechange = function() {
    if (this.readyState==4) {
      var pulled_info = this.responseText;
      eval(callBack+"(pulled_info,"+counter+");");
    }

taken from an API of mine, that i'll probably clean up and release tomorrow since microsoft decided not to patch IE's mhtml bug. =.=

You'll have to use #2 anyway, to do #1 and find the links

-maluc

oh well, should've checked for new posts before replying.. but i guess it's useful for those with the same questions

-maluc