Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
One flash file to bind rule them all
Posted by: WhiteAcid
Date: September 22, 2006 01:45AM

It took me a long time (it's now 07:44am) but I've done it. I created a flash file which can is similair to the PHP one I made earlier to show XSSes that use POST. This flash files lets your demonstrate any header being used.

File: http://www.whiteacid.org/misc/xss_headers.php
zip containing .php and .fla file: http://www.whiteacid.org/misc/xss_headers.zip
Demo: http://www.whiteacid.org/misc/xss_headers.php?xss_target=http://www.cambiaresearch.com/cambia3/myuseragent/&User-agent=%3Cscript%3Ealert('xss')%3C/script%3E

Keep in mind that this only works in IE.

I did have some caching problems earlier which made testing hell as the flash file didn't refresh. If that happens to you disable IEs cache. Tools -> Internet options -> settings (under the Temporary Internet Files section) -> Tick the "Every visit to the page"

Edit2: HAha, I messed up this title didn't I? I blame it on that I'm knackered.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 2 time(s). Last edit at 09/22/2006 02:26AM by WhiteAcid.

Options: ReplyQuote
Re: One flash file to bind rule them all
Posted by: rsnake
Date: September 22, 2006 10:29AM

A) Great work
B) You beat me to it
C) What would be even better is allowing this to be automatic. That is, having it take information from the page it's on (or QUERY_STRING) and automatically running it, so we can demonstrate it's effectiveness (not necessarily on your server, of course, but as an option that we can include when we are doing our own testing).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: One flash file to bind rule them all
Posted by: WhiteAcid
Date: September 22, 2006 11:42AM

I thought about this too, once I'd had some sleep and could think straight.
Here you go:
Readme: http://www.whiteacid.org/misc/xss_headers_direct.readme.txt
Archive: http://www.whiteacid.org/misc/xss_headers_direct.zip

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: One flash file to bind rule them all
Posted by: rsnake
Date: September 22, 2006 11:48AM

Awesome :) The funny part is that no one will use this one, but it's still slick.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.