XSS testing grounds for developer demonstration

Viewing 9 reply threads
  • Author
    Posts
    • #7881
      noghost
      Participant

      A little page I whipped up to teach developers about some simple XSS attack vectors.  Figured I’d share.

      It can be a little quarky because of caching.

      http://www.g-rawkz.com/xss.php

    • #49747
      cyber.spirit
      Participant

      good tutorial thanx

    • #49748
      rance
      Participant

      That’s really handy… and… I was just about to whip something like that up for a demo that i’m giving, but you hit all the points i need. Could i trouble you for your source?

    • #49749
      noghost
      Participant

      Sure.  It is not very clean, but of course it was never really meant to be. 
      Its pretty much all php other than some javascript use to remember the scroll bar location via cookie so that when you hit a submit button the page refreshes and stays at the same scroll location.

      You could always give me a shout out in the demo =].  Nothing like throwing up some handles from a hacker forum on the screen during some corporate presentation.

      http://www.g-rawkz.com/xss.txt

    • #49750
      rance
      Participant

      it does the trick! i’ll see if i can slip in a nod… 🙂

      btw, welcome to the forum… very helpful first post!

      all hail hypnotoad.

    • #49751
      Don Donzal
      Keymaster

      2nd on the great first post and welcome to EH-Net.

      Don

    • #49752
      noghost
      Participant

      Thanks for the welcomes.  EH seems like a pretty good forum that somehow I never stumbled upon until now.

      Also any suggestions on how this page could be improved are welcomed.  Although XSS is a fairly old problem, in my experience I find it all over the place in the applications put out at my place of business and across web in general.  Even with certain filters protecting against stealing session cookies by stopping harmful tags like script and iframe, I have demonstrated how its possible to deface a webpage overlaying login forms that submit to my controlled server.  Not all XSS can lead to something evil, but there are many creative ways they can be used and I see it as a major problem especially when used as a spear phish attack via email.

      ‘all glory to the hypnotoad’

    • #49753
      Jamie.R
      Participant

      Speaking os XSS does anyone know a good resource for using html 5 tags to exploit XSS??

    • #49754
      UNIX
      Participant

      Take a look at the HTML5 Security Cheatsheet.

    • #49755
      m0wgli
      Participant

      @aweSEC wrote:

      Take a look at the HTML5 Security Cheatsheet.

      I just thought it worth mentioning that the above resource can also be accessed from the following link as well:

      http://html5security.org/

Viewing 9 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?