| Author |
can i deface a site by xss |
dovis
Member
Posts: 129
Location: Greece
Joined: 05.12.07
Rank: God |
|
i found a site which has a xss hole..... i can pass the message with js scblockedript:
<scblockedript>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>xaxaxa</h1></div>";</scblockedript>
ok... but there a js code to deface the site.... i.e i can pass the message "xaxaxa" in the site through xss and every time i see the site the message "xaxaxa" ther is in the site..... or.... the xss it's only for cookies stealing????
any help???? |
|
| Author |
RE: can i deface a site by xss |
Mr_Cheese
HBH Owner
Posts: 2468
Location: Brighton, UK
Joined: 30.11.04
Rank: God |
|
if its a guestbook styler site wher you can add your input to the page, then it can cause a defacement.
if its a GET variable you're "exploiting" then obvioulsy it only applies to that page load.
may i suggest you start learning how websites work, i.e HTML, forms, POST/GET, databases etc before you start exploiting.
XSS is a lot more powerful that cookie stealing.
and please note HBH does not condone, support, or encourage defacing of innocent websites. If you are caught, or end up asking for help for this, not only will people not help you, but your account will get banned too. |
|
|
| Author |
RE: can i deface a site by xss |
fallingmidget
Banned
Posts: 1138
Location: *.*
Joined: 18.09.07
Rank: God
Warn Level: 100
|
|
you could include a scblockedript from another source. There are tons of stuff you can do with xss. There are xss shell, xss tunneling, cookie stealing but if you just want to deface the site then include an picture or something like that to cover the whole front page.
|
|
|
| Author |
RE: can i deface a site by xss |
Futility
Member
Posts: 715
Location: USA
Joined: 17.12.07
Rank: God |
|
Cross site scblockedripting can be used for tons of different things. Yes, you can deface a site using it, but you'd need to find a way to have the code saved directly to the site. A forum that doesn't filter HTML when people post is pretty good example. Finding a vulnerability in a search box won't cut it, which is why phishing and cookie stealing are more popular. Craft a specific URL for the target and send it over.
|
  
|
| Author |
RE: can i deface a site by xss |
dovis
Member
Posts: 129
Location: Greece
Joined: 05.12.07
Rank: God |
|
|
it's a search box... i know some things about xss js etc.... but i don;t know if i can deface the site through xss... |
|
|
| Author |
RE: can i deface a site by xss |
Futility
Member
Posts: 715
Location: USA
Joined: 17.12.07
Rank: God |
|
|
dovis wrote:
it's a search box... i know some things about xss js etc.... but i don;t know if i can deface the site through xss...
If it's a search box, then you're either exploiting a GET or POST variable, which means it's not permanent. Which also means you can't deface it because the data isn't saved anywhere. Why are you so intent on defacing sites anyway? If you've got an XSS hole, there are tons of more useful things that can be done.
|
|
|
| Author |
RE: can i deface a site by xss |
dovis
Member
Posts: 129
Location: Greece
Joined: 05.12.07
Rank: God |
|
using the code above i deface the site but when i reload the site without the scblockedript i din;t see the message...... i want the message remains in the site...... |
|
|
| Author |
RE: can i deface a site by xss |
dovis
Member
Posts: 129
Location: Greece
Joined: 05.12.07
Rank: God |
|
|
it's the GET.... what else can i do??? i want to show in the site ,that there is a xss whole???? any help???? |
|
|
| Author |
RE: can i deface a site by xss |
yours31f
Second to one
Posts: 1678
Location: Dallas Texas
Joined: 27.04.07
Rank: Satan |
|
have you tried e-mailing the web-master to let him know?
Debugging is what programmers do to beta software to make it take up more room on your hard drive if it is running too efficiently.
|
|
|
| Author |
RE: can i deface a site by xss |
Mr_Cheese
HBH Owner
Posts: 2468
Location: Brighton, UK
Joined: 30.11.04
Rank: God |
|
xssed.com
you can submit XSS urls.
as quoted on their website:
Once the mirror has been validated and published, you should contact the webmasters of the affected web site and help them to fix the flaw. |
|
|
| Author |
RE: can i deface a site by xss |
Futility
Member
Posts: 715
Location: USA
Joined: 17.12.07
Rank: God |
|
|
dovis wrote:
it's the GET.... what else can i do??? i want to show in the site ,that there is a xss whole???? any help????
Alright. That's enough of this. I thought we were clear. In order for the XSS (and the 'defacement') to be permanent, data needs to be saved to the page. Search boxes don't save anything to the page, so there is no way for you to deface it. A GET variable, as previously stated, can be used to phish, steal cookies, and a slew of other target-based attacks. You would need to get the target to click on your maliciously crafted URL in order for it to work because nothing is being saved to the site.
Oh, and I don't think he's looking to tell the webmaster about it. All he wants is the 'fame' that comes along with taking down a site.
[EDIT] I don't even bother submitting things to xssed.com anymore. By the time they check them, I've already contacted the webmaster and helped him fix the problem.
Edited by Futility on 22-10-08 22:43 |
|
|
| Author |
RE: can i deface a site by xss |
dovis
Member
Posts: 129
Location: Greece
Joined: 05.12.07
Rank: God |
|
thanks a lot for the help... i found a xssshell and i try to work with it and i post the results ...
thanks for the advises......
|
|
|
| Author |
RE: can i deface a site by xss |
yours31f
Second to one
Posts: 1678
Location: Dallas Texas
Joined: 27.04.07
Rank: Satan |
|
I give him three days till a warn/ban.
Debugging is what programmers do to beta software to make it take up more room on your hard drive if it is running too efficiently.
|
|
|
| Author |
RE: can i deface a site by xss |
Zephyr_Pure
Member
Posts: 2402
Location:
Joined: 15.09.06
Rank: God |
|
|
yours31f wrote:
I give him three days till a warn/ban.
You're working on one if you don't start being useful again (short-lived as that was).
I still check PMs from time to time.
Our responses were moronic, why shouldn't he follow suit? - Futility
Edited by Zephyr_Pure on 23-10-08 01:07 |
|
|
| Author |
RE: can i deface a site by xss |
Uber0n
Member
Posts: 1963
Location: Sweden
Joined: 13.06.06
Rank: God |
|
|
Futility wrote:
I don't even bother submitting things to xssed.com anymore. By the time they check them, I've already contacted the webmaster and helped him fix the problem.
Yeah, what are Kevin and Dimitris up to?  I sure miss the good old 'submit and it gets verified within a day'-style ^^
http://uber0n.webs.com/ |
|
|
| Author |
RE: can i deface a site by xss |
yours31f
Second to one
Posts: 1678
Location: Dallas Texas
Joined: 27.04.07
Rank: Satan |
|
I got to a point where I wondered if the site was even operational. I submitted about 5-6 sites and none were ever accepted. So, I just quit going.
Debugging is what programmers do to beta software to make it take up more room on your hard drive if it is running too efficiently.
|
|
|
Main:
