Xss hacking trick


















This is where that value can be found. To complete the new administrator attack, we need some additional code to fetch the user-new. Next, we need a function to get the page with the nonce value. This code will retrieve the user-new. Now we need to do something with the response. Up until now, we have not had to wait for our request to finish. We do have to worry about that now.

We will add some code that will wait until our GET request has completed. This is where we need to put our response parsing code that will find our nonce value. We can add the following code in the inner bracket:. This variable now holds the full HTML content of that page, including the add new user form and the nonce value! There is a lot of content in that response and we want to narrow down to our nonce. We can search for this code in the response. We can find this string in our response with the following code:.

This will find the index of this string in the response. We can put this all together and print out this index. If we open the web developer console in our browser and execute this payload as the WordPress administrator, we can see the index near where our nonce value is located.

This code will pull out a substring of our response and save it into the nonceVal variable. We will give the substring two 2 indices: the noncePos we just printed and that index plus So somewhere in that substring we should have our nonce value. Through a little trial and error, it is easy to correct these offsets to isolate just the nonce value itself. Now we can integrate the findNonce function and our addAdminUser function to first find the nonce, then use it in our request to add our new administrator user.

We also change the body line that includes the nonce value from being hard coded to a variable. This code will create an iframe with the javascript: thingie, create a form on that blank page, and submit it.

This will make the referrer clean, and you will circumvent any referrer checks. On forums and online communities you can often use an avatar, which you link from the web. And very often, only extensions like. What you have to do then, is to use apache's htaccess. The extension filter will not trigger. But when the image is displayed, the browser will find the http redirect, and fetch the new page.

Note that this cannot be used to redirect to POST csrf exploits. Because the browser does not interpret the html response code, it only queries it. Redirecting to java script: does not work though, and thank god for that. If you make a csrf exploit which changes name, email or whatever, you may see that the site uses tokens to prevent this.

To circumvent this, you need to find an xss flaw. When you find one, you can inject js, which will fetch the tokens which are needed.

The html code of that page contains the token, which is needed to change things. This is called a regular expresblockedsion. Credit for this particular set of hackery goes to this great article on XSS in Django.

If you can force a browser to load data, either through setting the URL via e. In Firefox, these are treated as the same domain as the originating page but not in Chrome. Regardless, this can lead to a few dangerous outcomes explained below. Not XSS, but consider other mime types which can weak havoc. Firefox only. Other ideas include java applets, steam, or really anything that registers a custom protocol handler. Some ideas on exploiting them are available here. Now it is time to for practicing your skills in legal way.

This time i came with different web application that will develop your knowledge in Web App PenTesting. Still more articles are on the way, Stay tuned to BreakTheSec..! Today i am going to explain how an attacker exploit XSS vulnerability and steal cookie from users. BTS does not take responsibility, if anyone, […]. This is my third article about Cross site Scripting Tutorial.



0コメント

  • 1000 / 1000