Thus spake John Madden <chiwawa999at_private> On Sat, 7 Dec 2002 06:36:17 -0800 (PST): > Hello all, [clip] > What is the real vulnerability if the site in > questions is vulnerable to XSS but does not let you > write any malicious scripts on the system, like > message board, forums etc... ? Can anything be done to > exploit XSS if the above scenario occurs ? I know it > depends on the web server, packages installed etc... > I'm asking in generaly is it possible ? Here's one possibility, if the script that's vulnerable to the XSS attack is using an HTTP GET method for input gathering, you can throw in all your javascript as part of the href in an anchor tag, so that it's not as easily noticeable, and send the link to an unwary user. Then make the javascript send you their document.cookie. For instance, (A href="stupid_site.com/stupid.asp?var=<script>alert('xss');</script>") Fun and perfectly harmless link! (/a) Send that to someone in an HTML email, AOL IM conversation, etc. and you'll probably get many unwary/ignorant people. However, if stupid.asp uses an HTTP POST, you can just make a little page on a website with a form that exploits it through hidden values, as such, (input type="hidden" name="var" value="<script>alert('xss');</script>") which would be harder to detect. And, if you're feeling creative, you could even make it non-hidden, and add a javascript function to change the value of the input to whatever you want with an onSubmit trigger. Just my thoughts on the issue. XSS is a lot of fun :-P. Best of luck. -Bryan
This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 08:23:59 PST