.

Javascript and actionscript Tutorial recommendations

<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Tue Jul 20, 2010 11:32 am

Javascript and actionscript Tutorial recommendations

Ok, so some of you guys will probably have seen some of my posts... basically I am a newbie Pen Tester and have predominantly starting performing web app assessments.

Unfortunately I don’t have a development background, mainly sys admin and therefore am not up to speed with scripting languages.  Now I have decided to learn perl eventually but need a quick understanding of javascript and actionscript as I am not entirely sure what to look for when looking for XSS when the standard alert functions do not work.  Don’t get me wrong I have noticed that the standard <script>alert(“xss”)</script> does still get executed a lot on sites but need to get a better understanding  of Javascript and how to look for the more discreet vulnerabilities?

When decompiling flash files I generally look for Look for encryption algorithms and salts, directories you can access and enumerate, crossdomain.xml file for * as the domains it can use any more?
Any help would be appreciated?

Cheers
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Tue Jul 20, 2010 1:09 pm

Re: Javascript and actionscript Tutorial recommendations

Check out w3schools.com

Some websites employ filters in which case the standard alert dialog will not work. You will then have to try various evasion techniques.
eg.<script><script>alert('xss')</script></script> So if one <script></script> gets blocked the other passes through.

Cheat sheets:http://ha.ckers.org/xss.html
<<

secureseve

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Thu Apr 08, 2010 10:40 pm

Location: DMZ

Post Tue Jul 20, 2010 2:36 pm

Re: Javascript and actionscript Tutorial recommendations

This does not have much to do with learning javascript or actionscript (but the aforementioned site:w3schools is very good) but have you read The Web Application Hacker's Handbook? It's really good and in depth, and you said that you are starting new with webapp testing. Very robust and if you read a chapter at a time and apply what you learned on a vuln site, it really sticks in your head. In your case, maybe you can make mock-up web apps using javascript/actionscript and try and apply what you learned from that chapter in the book. 2 birds, 1 stone lol.
http://twitter.com/mikesantillana
eLearnSecurity Team Member.
<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Wed Jul 21, 2010 2:05 am

Re: Javascript and actionscript Tutorial recommendations

@ secureseven

Actually I am in the process of reading through the Web Application Hackers Handbook at present.  I have been performing tasks on a list of vulnerable sites but havent yet got to the "Attacking Other users" chapter which deals with xss... ok ill be patient and will be sure to check out w3schools.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Jul 21, 2010 10:41 am

Re: Javascript and actionscript Tutorial recommendations

Have you looked at the WebGoat Project?
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Jul 21, 2010 8:34 pm

Re: Javascript and actionscript Tutorial recommendations

While this isn't a tutorial, you might have some fun working through the exercises here: http://www.hackthissite.org/
The day you stop learning is the day you start becoming obsolete.
<<

secureseve

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Thu Apr 08, 2010 10:40 pm

Location: DMZ

Post Thu Jul 22, 2010 9:25 am

Re: Javascript and actionscript Tutorial recommendations

Another one is : http://google-gruyere.appspot.com/#0__jarlsberg
they renamed jarlsberg to gruyere though, but same thing, just with revisements.
http://twitter.com/mikesantillana
eLearnSecurity Team Member.

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software