Re: Exploiting XSS



Hi,
You should forward your customers onto someone who knows the answers to those questions already. It frightens me to think that you are offering to provide security services to people when you don't know what it is that you are doing or why a risk is a risk.

On Dec 3, 2008, at 12:08 AM, Whitehat wrote:

Dear List,

I'm doing a WAPT for a website and found many XSS issues (both Stored
and Reflected).
I wanted to do more and show to the customer, apart from normal script
injection and getting it popped up.

Consider that u found an XSS issue in a field and your script is running,

1. Now what are the further steps for exploiting XSS completely????
2. How an attacker can really make use of it?
3. How to Compromise ??
4. What are the real world scenarios can be used

Looking for few good inputs/imlementations/expolits/ BooKs ..............

Thanks in advance,

Cheers,
White hat


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


Adriel T. Desautels
ad_lists@xxxxxxxxxxxxx




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



Relevant Pages

  • Re: My Frustrations
    ... You need a channel to reach this second kind of customers, ... ourselves by requiring licensing. ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • Re: My Frustrations Step Two
    ... Actually, this should be done anyway as part of the initial contact with the client, defining the role that the pen tester will take and the scope that is suitable and expected. ... Proposal) and steer customers to use it as contractual clauses. ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • RE: My Frustrations Step Two
    ... approach to this is one of education to prospective clients. ... If our customers knew how to identify ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • Re: My Frustrations Step Two
    ... Proposal) and steer customers to use it as contractual clauses. ... Security Trends Report from Cenzic ... Stay Ahead of the Hacker Curve! ...
    (Pen-Test)
  • Re: XSS frameworks
    ... XSS-Proxy allows you to turn an XSS hole into a proxy to surf from the ... Security Trends Report from Cenzic ... Stay Ahead of the Hacker Curve! ...
    (Pen-Test)