XSS-Proxy

XSS-Proxy is an advanced Cross-Site-Scripting (XSS) attack tool. The documents, tools and other content on this site assume you have a basic understanding of XSS issues and existing exploitation methods. If you are not famliar with XSS, then I recommend you check out the primer links/docs below to get a better of idea of what XSS is and how to detect it, fix it, and exploit it.

Primer info on XSS issues and attacks
CERT info on XSS
CGISecurity’s Cross Site Scripting FAQ
Gunter Ollmann’s XSS paper
PeterW’s Cross Site Request Forgery (CSRF) Concept
SecureNet’s Session Riding paper

Some Common Misconceptions with XSS
“A user has to click a link to be impacted by XSS.” No – if you visit a page that has// your browser will run it regardless of you clicking a link. I carefully crafted this example so it would not be run by your browser, but I could have put real script tags/commands here and made you run then transparently.
“XSS only matters with bulliten boards, blogs, and other sites where an attacker can upload script content.” That is one way the attack can happen, but an attacker can also leverage sites that allow HTML/SCRIPT tags to be reflected back to the same user (like a search form that repeats what it was told to look for in the response). These flaws are commonly combined with public site redirects or emails to attack a second site.
“Don’t XSS attacks just create popup windows, alerts and other pesky things?” No – They are commonly used to reveal your cookies or form based login info to attackers. After havesting this info, the attacker uses it to log into the same site as you.
“I understand XSS, but I don’t think it’s a huge issue”. I think you’ll change your mind once you understand this advanced attack. Read the advanced stuff below and play with XSS-Proxy to see how evil XSS really can be.

Advanced Stuff – XSS-Proxy and Javascript Remoting attacks
There’s not a lot of info here yet as I’m still working on content that will be here soon. Best bet is to review my Shmoocon slides, read the Mini-Whitepaper, and download/play with the XSS-Proxy tool.

Here are my Shmoocon 2005 Powerpoint Slides on Advanced XSS attacks and XSS-Proxy

Here is the latest draft of my XSS Attacks mini-whitepaper

XSS-Proxy Project site for file downloads and other info

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s