Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Odd XSS Exploit

Re: Odd XSS Exploit

From: arvind doraiswamy <arvind.doraiswamy_at_gmail.com>
Date: Sat, 3 May 2008 10:32:46 +0530

You want to elaborate a bit more on this? My feel is that the fact
that it gave you a session error back meant that you were already
logged in to the application. Then you intrcepted or somehow did the
XSS bit upon which the app detected you had messed around with the
variables and threw you out. You then killed Firefox which should have
destroyed the session as well but for some reason did not. Most
probably because there is some kind of "remember me " feature in the
application which is storing session state somewhere(maybe a cookie??)
or the page what you see is cached and there's no real connection
happening to the server when you go to that page again. This sounds
possible as well because a "logged in user" page if it has static
content might not change and is cached. That is a problem but its not
an XSS problem.

If I've misunderstood please post back.

Cheers
Arvind

On Thu, May 1, 2008 at 7:59 AM, <guinness.stout_at_gmail.com> wrote:
> I was hoping someone could shed some light on this odd XSS
>
> vulnerability I uncovered while doing a pentest for a client. The
>
> site is a customer portal and when the below XSS is executed nothing
>
> happens. Basically gives a session error back, nothing interesting
>
> there. But when you kill -9 or End Process on FireFox then reopen
>
> with "Restore Session" the site comes back up to the XSS but dumps
>
> logged in users information.
>
>
> I cannot replicate this in other browsers nor with Paros, webscarab, SPIKE etc.
>
>
> https://host/portal/j_acegi_security_check?j_username=%27%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&j_password=d&login=Login
>
>
> -Chris
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Received on May 05 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]