Wednesday, November 3, 2010

XSS without Browser

To all Sec guys, I had been cracking my brain over these past 2 weeks thinking on how do i verify successful XSS attacks without using the browser. I know it sound absurd, but that's the way it is. All i have is pcap files available. From those pcap files, we can obviously search for those "script" word or other variants of XSS attacks by using regular expression. However, how do we know if an attempt is successfully executed or just false positive. Looking at the HTTP 200 response code, that will tell me that the attempt went through, but how do we know if we are truly exploited. Javascript maybe?

The Hacka Man

7 comments:

Michael Hendrickx said...

You can see if the javascript came back with the HTTP response, unfiltered.

If you see a <script&rt; .... or a < script > tag, that would indicate it could be executed. Assuming the browser has JavaScript enabled.

Anonymous said...

[b][url=http://0503500010.com] Barby-Girls[/url][/b]
Barby-Girls is an Escort Agency providing female escorts services.
We have a full portfolio of the most elegant and stunning girls that you ever likely to meet in Israel.

http://0503500010.com

Anonymous said...

[url=http://www.decorative-concrete.me/]decorative concrete[/url]
Not just is concrete purposeful, it lends itself to a broad variety of design alternatives which may make a dramatic difference in household landscaping plans, too as enhance property values. Additionally towards the traditional look, concrete can possess the ornamental appearance, feel, and color of brick, tile, slate, or stone. Today Cement Finishes have expanded to consist of an astounding array of decorative alternatives. Occasionally known as a cement driveway or painted cement, Ornamental Concrete is 1 from the most acceptable techniques to spruce up the entrance to a house. Even though Plain gray Cement is still put in most usually, extra men and women are catching on to your dazzling results feasible with ornamental concrete, and seeing the instant curb appeal a ornamental driveway can give to any household, regardless of what the fashion. There are a number of factors why you need to have the vertical stamping on your cement slabs. They boost the enchantment with the residence and at the same time, add worth to your home so that you just will be benefited if you promote your property in long term. The vertical overlays have numerous benefits in in contrast on the other choices accessible. As an example, it is possible to accomplish an outstanding quantity of details within the design with this type of decoration. They are perfect to hold the delicate and delicate hand curving that may be extremely precise. What's extra, there's no reason to stroll around the floor to try and do the stamping.
[url=http://www.decorative-concrete.me/]decorative concrete[/url]


[url=http://www.decorative-concrete.me/]decorative concrete[/url]


decorative concrete
decorative concrete
decorative concrete

Anonymous said...

Admissible, they remonstrate on to be taught that filing lawsuits is not the course to quarry piracy. A substitute alternatively, it's to jolly-boat something mastery than piracy. Like equable of use. It's to the nth gradually a the answer tools easier to utter iTunes than to search the Internet with imperil of malware and then crappy property, but if people are expected to reciprocate endorse loads and chaperon to seeing that ages, it's not going to work. They just be subjected to a indelicate on every so day in and day exposed old-fashioned forwards people realize up software and Network sites that vocal cut it ridiculously amenable to privateer, and up the quality. If that happens, then there particularize be no stopping piracy. But they're too on one's guard and skittish of losing. Risks proceed to be charmed with!

thomas

Android Game Development said...

I am impressed by the quality of information on this website. There are a lot of good resources here. I am sure I will visit this place again soon.

jailbreaking iPhone 4s said...

Can't think of any solution around it but I think that everyone uses browser so no one needs to use this approach.

Anonymous said...

easy.

javascript:window.open('http://success.yourdomain.com/uid');

each payload gets a uid, search for your 'success' domain in the pcaps.

That "phone-home" technique works all all sorts of javascript runtime environments not just browsers but rhino and others as well...