HackFest Series: XSS for Everyone

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: plug-devel, plug-discuss
Subject: HackFest Series: XSS for Everyone

Cross Site Scripting like any security risk can be mitigated (once we realize the risks to look for infections ( and/or identify the abberant sites or behavior that incurred contagion [for XSS Tunnels]). XSS allows us to inject HTML, iFrame, javascript, or a redirect into a website, where content checking is insufficient. Many versions of Apache httpd are vulnerable to XSS and there are many types of XSS tricks.

CheatSheet for creating XSS Test LABS: http://ha.ckers.org/xss.html

Good Video Descriptions [Full Disclosure]: (Persistent and Non-persistent)
http://www.youtube.com/watch?v=WZCXIrW0xZ0
http://www.youtube.com/watch?v=JBpG2fie_aA

XSS Tunnels [Full Disclosure]:
http://www.youtube.com/watch?v=Vg7lhW
http://www.youtube.com/watch?v=Cevlym76CWI
http://www.youtube.com/watch?v=OkiMTqYD1_Q

Other Demonstrations:
FaceBook: http://www.youtube.com/watch?v=l-9T40Ru7W8
MySpace: http://www.youtube.com/watch?v=ZP324qmNTjY

Other Known XSS sites:

Dec 2008 American Express: http://www.theregister.co.uk/2008/12/20/american_express_website_bug_redux/
Nov 2007 (including fbi.gov): http://blogs.securiteam.com/index.php/archives/1030
Friendster: http://www.lifedork.com/friendster-xss-bug-friendster-is-vulnerable-to-xss-again.html
http://www.owasp.org/index.php/Top_10_2007-A1

Forensics & Defense:
http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Microsoft:
DOM Based Cross Site Scripting, http://www.webappsec.org/projects/articles/071105.shtml
.NET Anti-XSS Library - http://www.microsoft.com/downloads/details.aspx?FamilyID=efb9c819-53ff-4f82-bfaf-e11625130c25&DisplayLang=e

WebGoat on BackTrack3 Demonstration: http://www.youtube.com/watch?v=femI7IMP8hw
XSS-ME: http://www.securitycompass.com/exploitme.shtml

www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis | hackfest.obnosis.com (503)754-4452
January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security Forensics @ UAT 1/10/09 12-3PM
Take the Black [Linux BT3] Pill & leave SecurityMatrix, or take the Blue [XP/Vista Pill] & stay happily ignorant.



_________________________________________________________________
Life on your PC is safer, easier, and more enjoyable with Windows Vista®.
http://clk.atdmt.com/MRT/go/127032870/direct/01/---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: HackFest Series: Email Christmas CheerRE: How to get a usb camera to work?->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)