[PLUG-Devel] HackFest Series: XSS for Everyone
Lisa Kachold
lisakachold at obnosis.com
Thu Dec 25 14:44:41 MST 2008
Cross Site Scripting like any security risk can be mitigated (once we realize the risks to look for infections ( and/or identify the abberant sites or behavior that incurred contagion [for XSS Tunnels]). XSS allows us to inject HTML, iFrame, javascript, or a redirect into a website, where content checking is insufficient. Many versions of Apache httpd are vulnerable to XSS and there are many types of XSS tricks.
CheatSheet for creating XSS Test LABS: http://ha.ckers.org/xss.html
Good Video Descriptions [Full Disclosure]: (Persistent and Non-persistent)
http://www.youtube.com/watch?v=WZCXIrW0xZ0
http://www.youtube.com/watch?v=JBpG2fie_aA
XSS Tunnels [Full Disclosure]:
http://www.youtube.com/watch?v=Vg7lhW
http://www.youtube.com/watch?v=Cevlym76CWI
http://www.youtube.com/watch?v=OkiMTqYD1_Q
Other Demonstrations:
FaceBook: http://www.youtube.com/watch?v=l-9T40Ru7W8
MySpace: http://www.youtube.com/watch?v=ZP324qmNTjY
Other Known XSS sites:
Dec 2008 American Express: http://www.theregister.co.uk/2008/12/20/american_express_website_bug_redux/
Nov 2007 (including fbi.gov): http://blogs.securiteam.com/index.php/archives/1030
Friendster: http://www.lifedork.com/friendster-xss-bug-friendster-is-vulnerable-to-xss-again.html
http://www.owasp.org/index.php/Top_10_2007-A1
Forensics & Defense:
http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Microsoft:
DOM Based Cross Site Scripting, http://www.webappsec.org/projects/articles/071105.shtml
.NET Anti-XSS Library - http://www.microsoft.com/downloads/details.aspx?FamilyID=efb9c819-53ff-4f82-bfaf-e11625130c25&DisplayLang=e
WebGoat on BackTrack3 Demonstration: http://www.youtube.com/watch?v=femI7IMP8hw
XSS-ME: http://www.securitycompass.com/exploitme.shtml
www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis | hackfest.obnosis.com (503)754-4452
January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security Forensics @ UAT 1/10/09 12-3PM
Take the Black [Linux BT3] Pill & leave SecurityMatrix, or take the Blue [XP/Vista Pill] & stay happily ignorant.
_________________________________________________________________
Life on your PC is safer, easier, and more enjoyable with Windows Vista®.
http://clk.atdmt.com/MRT/go/127032870/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-devel/attachments/20081225/1a64f0c0/attachment.htm
More information about the PLUG-devel
mailing list