Post by: T_Bone on July 20, 2010, 11:32:03 AM
Ok, so some of you guys will probably have seen some of my posts... basically I am a newbie Pen Tester and have predominantly starting performing web app assessments.
When decompiling flash files I generally look for Look for encryption algorithms and salts, directories you can access and enumerate, crossdomain.xml file for * as the domains it can use any more?
Any help would be appreciated?
Post by: Equix3n- on July 20, 2010, 01:09:32 PM
Check out w3schools.com
Some websites employ filters in which case the standard alert dialog will not work. You will then have to try various evasion techniques.
eg.<script><script>alert('xss')</script></script> So if one <script></script> gets blocked the other passes through.
Post by: secureseven on July 20, 2010, 02:36:02 PM
Post by: T_Bone on July 21, 2010, 02:05:33 AM
Actually I am in the process of reading through the Web Application Hackers Handbook at present. I have been performing tasks on a list of vulnerable sites but havent yet got to the "Attacking Other users" chapter which deals with xss... ok ill be patient and will be sure to check out w3schools.
Post by: UNIX on July 21, 2010, 10:41:43 AM
Have you looked at the WebGoat Project?
Post by: ajohnson on July 21, 2010, 08:34:12 PM
While this isn't a tutorial, you might have some fun working through the exercises here: http://www.hackthissite.org/
Post by: secureseven on July 22, 2010, 09:25:32 AM
Another one is : http://google-gruyere.appspot.com/#0__jarlsberg
they renamed jarlsberg to gruyere though, but same thing, just with revisements.