- Stored
- Reflected
- DOM based
finding and exploiting these type of vulnerabilities are very common. now comes the question on how to
Monday, September 16, 2013
More On XSS vulnerabilities
XSS vulnerabilities form the most basic in security concept and is basically a subclass of code injection. XSS comes in three forms
finding and exploiting these type of vulnerabilities are very common. now comes the question on how to
finding and exploiting these type of vulnerabilities are very common. now comes the question on how to
XSS in www.toptalent.in
Hi
today i am going to tell you about an exploit on a live site. www.toptalent.in. You are advised not to reproduce the attack under any circumstances. So lets start. What do we need to know??
Lets say a basic
Now to get started you will need to go to the employers account. A Fake account just works fine and that only requires a simple email id to validate. Once you are set to make this account go over to change the name of the company . well dont name your company but yet better simply insert script in this field so as to finish the stage of XSS attack.lets say a simple script like
should work just fine. Login again using you employers account and see the change. This type of XSS is called stored XSS vulnerability and could be seen in many places and is used mostly in defacing websites with a little creativity.
Going a step further i realized that the name of the new companies was also stored in the homepage. Well lets say i exploited that vulnerability by changing name of the company a little and got my own message right across the home page
I posted an image on the first attack that i conducted i guess the second attack is for you to figure out
today i am going to tell you about an exploit on a live site. www.toptalent.in. You are advised not to reproduce the attack under any circumstances. So lets start. What do we need to know??
Lets say a basic
javascript
works just awesome.The name to this attack is XSS or better known as cross site scripting. How to follow on this attack well it is simple it takes the advantage of the fact that toptalent.in does not sanitize the input they recieve from customers . and also on the fact that a browser has a Javascript Engine which can run any scriptsNow to get started you will need to go to the employers account. A Fake account just works fine and that only requires a simple email id to validate. Once you are set to make this account go over to change the name of the company . well dont name your company but yet better simply insert script in this field so as to finish the stage of XSS attack.lets say a simple script like
<script>alert("Y0u R 0wn3d");</script>
should work just fine. Login again using you employers account and see the change. This type of XSS is called stored XSS vulnerability and could be seen in many places and is used mostly in defacing websites with a little creativity.
Going a step further i realized that the name of the new companies was also stored in the homepage. Well lets say i exploited that vulnerability by changing name of the company a little and got my own message right across the home page
First Lesson
Hi,
First of all let me tell you what this blog is not. it is not some page for giving training to hackers but is something to prevent it . Cyber-Security is a very vast topic but in all over the span over which i conducted hacks i realized that cyber security is simply finding bugs in a program. And the exploit this bug in a beautiful way as which no one thought of could be done.
So to all of you who want to become experts in cyber security my advise go over and study. Study till you become fluent in subject and only then you may be able to start penetration testing
also one last thing even though windows is cool yet i would urge you to go to linux . Even linux is user friendly plus it has a lot to learn about. So install linux guys and stay tuned .
First of all let me tell you what this blog is not. it is not some page for giving training to hackers but is something to prevent it . Cyber-Security is a very vast topic but in all over the span over which i conducted hacks i realized that cyber security is simply finding bugs in a program. And the exploit this bug in a beautiful way as which no one thought of could be done.
So to all of you who want to become experts in cyber security my advise go over and study. Study till you become fluent in subject and only then you may be able to start penetration testing
also one last thing even though windows is cool yet i would urge you to go to linux . Even linux is user friendly plus it has a lot to learn about. So install linux guys and stay tuned .
Subscribe to:
Posts (Atom)