RE: XSS LAB DEMO IDEAS

From: Dawes, Rogan (ZA - Johannesburg) (rdawesat_private)
Date: Wed Jan 08 2003 - 23:15:31 PST

Next message: crazytrain.com: "Re: SQL Vulnerabilty Assesment"

Previous message: Brewis, Mark: "RE: common criteria draft"
Maybe in reply to: Jeremy Junginger: "XSS LAB DEMO IDEAS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Once you have the cookie, you need to identify an URL on the target web
server that will allow you to access the goodies.

For example, trace the traffic when you log into your web application
normally. Most apps will redirect you to a "landing page" immediately after
the login. If you had the other person's cookie, you could go to that same
page, and see what they see.

How to get the cookie into play?

Well, my approach would be to use a proxy, like mangle
(http://mysite.mweb.co.za/residents/rdawes/homepage.html), SPIKE proxy,
WebSleuth (?) etc, to add/substitute whatever cookie your browser is using
natively with the cookie that you have captured. In that way, it makes no
difference what cookie your browser thinks it has, the server will think you
have the captured one.

There is an exception where the client does manipulation of the cookie using
javascript, but you can get around that by adding a "Set-Cookie" to the
response if necessary.

Hope this helped.

Rogan
-----Original Message-----
From: Jeremy Junginger [mailto:jjat_private] 
Sent: 08 January 2003 07:09 PM
To: pen-test
Subject: RE: XSS LAB DEMO IDEAS


Thanks for the ideas, guys.  I'm running into a bit of technical
trouble, though.  Perhaps you could shed some light?

I now have a "victim" web server set up that I can test XSS on, and I
have also set up an "attacker" web server that basically sits there and
eats cookies via CGI, storing them to a local directory.  The next
question may seem very rudimentary, but can you just write those to your
user's "cookie" folder and "hijack" their session to the web site?  I
know I'm missing something ::scratching my head::

-Jeremy

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: crazytrain.com: "Re: SQL Vulnerabilty Assesment"
Previous message: Brewis, Mark: "RE: common criteria draft"
Maybe in reply to: Jeremy Junginger: "XSS LAB DEMO IDEAS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 14:49:28 PST