Hosting Provided By

RE: Proof of Concept Tool on Web Application Security

From: Gunter <gunter(at)technicalinfo.net>
Date: Mon Apr 21 2003 - 14:14:33 EDT

There aare a number of papers online at www.technicalinfo.net that will help you here and shed a little more light on the situation.

HTML Code Injection and Cross site scripting
(http://www.technicalinfo.net/papers/CSS.html)
-- How it works, how to detect, and how to protect against it.

Web Based Session Management
(http://www.technicalinfo.net/papers/WebBasedSessionManagement.html)
-- All about session management - understanding the good, the bad, and the ugly.

URL Encoded Attacks
(http://www.technicalinfo.net/papers/URLEmbeddedAttacks.html)
-- Understanding how different encoding schema work and alternative representations (incl. bypassing < conversions etc.)

Hope that helps...

-----Original Message-----
From: Indian Tiger [mailto:indiantiger@mailandnews.com] Sent: 18 April 2003 13:55
To: webappsec@securityfocus.com
Subject: RE: Proof of Concept Tool on Web Application Security

Hey Everybody,

First of all thank you very much to Robert, Rogan, Steve, Nicolas and Leah for
their guidance to test XSS and Session ID brute force attack.

Do you need help?

Now I can transfer victim's cookie to another location successfully. I have
tested XSS to transfer cookie using following three ways:

1. Using  document.location
2. Using Image src
3. Using hidden fields

The cookie, which I am getting, is of current application only. Now how can I
steal all cookies stored on the victim's machine? or how to transfer a file
from Victim machine?.

Some sites converts < and > tags into < and > to protect them selves
from XSS attacks. Is there any way to bypass this protection?

I was testing some trojan execution using XSS. In this process I was able to
run help file 31users.chm from attackers machine to victims machine as follows:
window.showhelp(file:///XXX. XXX. XXX. XXX/c:/windows/help/31users.chm) Is it possible to run some trojan or activex componenet instead of help file?
Without alerting for any pop-up.
Is this possible to write some malicious help file? (These files not even ask
before execution.)

As per IDefence's Article on "Brute forcing Session ID" some time session ID
is random. I have tested this against six sites and I was not much lucky to
get session IDs in which only last 3-4 digits are changing. What do you think in practice still are they so? Since iDEFENSE has published this research in Nov 2001 and current scenario might be a bit changed.

In my research of six sites, four sites were using ASP session variable to
generated session ID and remaining two their own.

I was able to hijack ASP sessions using session IDs. In my testing, first I
have logged in as user1, got his session ID and using user1's session ID, I
was able to hijack user1.

Any help on this would be highly appreciated.

Do you need more help?

Thanking You.
Sincerely,

Indian Tiger, CISSP Received on Mon Apr 21 14:25:51 2003

This message: [ Message body ]
Next message: Calderon, Juan C (CORP, DDEMESIS): "RE: getting an ASP file"
Previous message: Calderon, Juan C (CORP, DDEMESIS): "RE: SQL njection 2"
In reply to: Indian Tiger: "RE: Proof of Concept Tool on Web Application Security"
In reply to appsec(at)technicalinfo.net: "Re: XSS"
Reply: Gunter: "RE: web application access control research"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:50 EDT