RE: Proof of Concept Tool on Web Application Security

From: Indian Tiger (
Date: 04/23/03

  • Next message: Ollie Whitehouse: "@stake port announcement: ncpquery for win32 now posted to"
    From: "Indian Tiger" <>
    To: "pen test" <>
    Date: Wed, 23 Apr 2003 12:50:54 +0530

    Hey Everybody,

    First of all thank you very much to Robert, Rogan, Steve, Nicolas and Leah
    their guidance to test XSS and Session ID brute force attack.

    Now I can transfer victim’s cookie to another location successfully. I have
    tested XSS to transfer cookie using following three ways:
    1. Using document.location
    2. Using Image src
    3. Using hidden fields

    The cookie, which I am getting, is of current application only mean If I am
    accessing I will be getting only Hotmail's session ID asigned to me
    for that session.

    Now how can I steal all cookies stored on the victim’s machine? or how to
    transfer a file
    from Victim machine using Client Side Scripting or any other way?

    Some sites converts < and > tags into &lt; and &gt; to protect them selves
    from XSS attacks. Is there any way to bypass this protection?

    I was testing some trojan execution using XSS. In this process I was able to
    run help file 31users.chm from attackers machine to victims machine as
    window.showhelp(file:///XXX. XXX. XXX. XXX/c:/windows/help/31users.chm)
    Is it possible to run some trojan or activex componenet instead of help
    Without alerting for any pop-up.
    Is this possible to write some malicious help file? (These files not even
    before execution.)

    As per IDefence’s Article on “Brute forcing Session ID” some time session ID
    is random. I have tested this against six sites and I was not much lucky to
    get session IDs in which only last 3-4 digits are changing.
    What do you think in practice still are they so? Since iDEFENSE has
    this research in Nov 2001 and current scenario might be a bit changed.

    In my research of six sites, four sites were using ASP session variable to
    generated session ID and remaining two their own.

    I was able to hijack ASP sessions using session IDs. In my testing, first I
    have logged in as user1, got his session ID and using user1’s session ID, I
    was able to hijack user1.

    Any help on this would be highly appreciated.

    Thanking You.

    Indian Tiger, CISSP

    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor
    sales pitches. Deadline for the best rates is April 25. Register today to
    ensure your place.

  • Next message: Ollie Whitehouse: "@stake port announcement: ncpquery for win32 now posted to"

    Relevant Pages

    • Re: Re: Cookie Security
      ... With XSS available to an attacker, whatever means I use to manage the session will be weak. ... this method would leave the application open to denial of service if an attacker can sniff session ID's. ... I can't imagine any session system will be safe with XSS available to an attacker, so perhaps the best thing to do is go ahead with the suggested method, and take extra care around XSS holes. ...
    • Re: [Full-disclosure] XSS in Sambar Server version 6.2
      ... - obtain the session management mechanism ... > somebody with priviliged rights could have effected within the application. ... the XSS is a very low level vulnerability. ... > which logs the users cookie then this becomes more of an issue. ...
    • Re: [Full-disclosure] on xss and its technical merit
      ... I can think of pretty much 3 examples of XSS (granted without ... In this case the vulnerability is not XSS the vulnerability is either that ... the list will no doubt ask me for a secure session management schema but I ... Even if nothing valuable is stored by the session management, ...
    • Re: Cookie Security
      ... If your application has XSS vulnerabilities, ... but server must get it back on next request. ... If any of these changes - over the session. ...
    • [Full-disclosure] Advisory: Weak RNG in PHP session ID generation leads to session hijacking
      ... PHP session ID generation uses RNG with weak properties ... session hijacking ... PHP utilizes a cryptographically weak random number generator to ... A PHP site becomes vulnerable to the attack described below if it ...