Re: Odd XSS Exploit
- From: "kevin horvath" <kevin.horvath@xxxxxxxxx>
- Date: Tue, 6 May 2008 16:48:01 -0400
This is not related to XSS but to input validation. It looks like it
doesn't know what to do with the %27 which is a ' mark. Since its a
username field and it doesn't like the ' mark you should look more at
sql injection and the logic processing of the application.
On Sat, May 3, 2008 at 1:02 AM, arvind doraiswamy
<arvind.doraiswamy@xxxxxxxxx> wrote:
You want to elaborate a bit more on this? My feel is that the fact
that it gave you a session error back meant that you were already
logged in to the application. Then you intrcepted or somehow did the
XSS bit upon which the app detected you had messed around with the
variables and threw you out. You then killed Firefox which should have
destroyed the session as well but for some reason did not. Most
probably because there is some kind of "remember me " feature in the
application which is storing session state somewhere(maybe a cookie??)
or the page what you see is cached and there's no real connection
happening to the server when you go to that page again. This sounds
possible as well because a "logged in user" page if it has static
content might not change and is cached. That is a problem but its not
an XSS problem.
If I've misunderstood please post back.
Cheers
Arvind
On Thu, May 1, 2008 at 7:59 AM, <guinness.stout@xxxxxxxxx> wrote:
> I was hoping someone could shed some light on this odd XSS
>
> vulnerability I uncovered while doing a pentest for a client. The
>
> site is a customer portal and when the below XSS is executed nothing
>
> happens. Basically gives a session error back, nothing interesting
>
> there. But when you kill -9 or End Process on FireFox then reopen
>
> with "Restore Session" the site comes back up to the XSS but dumps
>
> logged in users information.
>
>
> I cannot replicate this in other browsers nor with Paros, webscarab, SPIKE etc.
>
>
> https://host/portal/j_acegi_security_check?j_username=%27%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&j_password=d&login=Login
>
>
> -Chris
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
- References:
- Odd XSS Exploit
- From: guinness . stout
- Re: Odd XSS Exploit
- From: arvind doraiswamy
- Odd XSS Exploit
- Prev by Date: RE: Pen Test and Sec Org
- Next by Date: Re: Pen Test and Sec Org
- Previous by thread: Re: Odd XSS Exploit
- Next by thread: Taking my name in vain and fun security stuff
- Index(es):
Relevant Pages
|
|
