Follow us on Twitter!
The measure of a mans life is not how well he dies, but how well he lives.
Friday, April 18, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 29
Guests Online: 24
Members Online: 5

Registered Members: 82825
Newest Member: bulmers
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

xssed trouble...


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-10-08 14:26
OK Basically when I submit a xss link to xssed.com and it uses POST for some reason it never shows up....So I was wondering am I doing this right?:
NAME:SaMTHG
URL:http://www.the_xss_vulnsite.com/search.php
POST:"><script>alert("XSS")</script>
IMG:The verification numbers/letters

Because I've now submitted at least 15 different sites using POST and none have shown up..only those that have the XSS in the URL. Thanks

Edited by on 04-10-08 14:26
Author

RE: xssed trouble...

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 04-10-08 14:35
Maybe the POST-ones get checked by hand, so it takes a while for them to get published? Anyway, enjoy your e-penis.




img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: xssed trouble...


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-10-08 15:16
About the "> I found 2 today one does need the "> and the other doesn't. But I'll try it. Thanks


Author

RE: xssed trouble...

yours31f
Member



Posts: 1678
Location: Dallas Texas
Joined: 27.04.07
Rank:
Elite
Posted on 04-10-08 15:38
@ ^^ the "> ends the input tag, then inputs your script into the source and not into the text.


Debugging is what programmers do to beta software to make it take up more room on your hard drive if it is running too efficiently.


img259.imageshack.us/img259/3713/sigr.png



Edited by yours31f on 04-10-08 15:55
yours31f@live.com yours31f@yahoo.com rpwd.info
Author

RE: xssed trouble...


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-10-08 10:42
So when I put "> into the POST field what I'm doing is inserting script into the source but how do they know when to use "> on the site and when not to?
Author

RE: xssed trouble...


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-10-08 11:11
SaMTHG wrote:
So when I put "> into the POST field what I'm doing is inserting script into the source but how do they know when to use "> on the site and when not to?


Maybe you should learn what happens with XSS. When you insert a "> you are breaking out of an input field that has your input in it. For instance, let's say you type in:
test


The server could output:
Code

<form action="" method="post">
       <input type="text" value="test">
       <input type="submit" value="Search">
</form>





If that happens, then you would try to type "><script>alert(1);</script>. If it's vulnerable, the page will output something like:
Code

<form action="" method="post">
       <input type="text" value=""><script>alert(1);</script>">
       <input type="submit" value="Search">
</form>





If it isn't, it will output:
Code

<form action="" method="post">
       <input type="text" value="&quot;&gt;&lt;script&gt;alert(1);&lt;/script&gt;">
       <input type="submit" value="Search">
</form>





Edit:
I wish hbh would filter ampersands so I wouldn't have to type out all of the ampersands with &amp;

Edited by on 05-10-08 11:16
Author

RE: xssed trouble...


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-10-08 12:36
I know how XSS works I'm just wondering if I only put in <script>alert(stuff here)</script> and on the site I used the XSS on I used "><script>alert(stuff here)</script> and it works and doesn't work without the "> then what do the staff of xssed do???
Author

RE: xssed trouble...

clone4
Member



Posts: 586
Location: He is back and he's bad!
Joined: 25.11.07
Rank:
Mad User
Posted on 05-10-08 12:49
SaMTHG wrote:
I know how XSS works I'm just wondering if I only put in <script>alert(stuff here)</script> and on the site I used the XSS on I used "><script>alert(stuff here)</script> and it works and doesn't work without the "> then what do the staff of xssed do???


It's already been explained. Usually the input will be echoed in the page as for example <input type="text" value=$input>, or I don't know even <a href=$input>something</a>.
if you input just <script>alert(/xsss/)</script> it will result in <input type="text" value="<script>alert(/xsss/)</script>">,thus not being executed, because you are still within the <input> tag.
But if you use "><script>alert(/xsss/)</script> you end up with <input type="text" value=""><script>alert(/xsss/)</script>"> so input tag is properly ended and then your script inserted and executed.
Whereas if the input was echoed just like <b>$input</b>, you could use just <script>alert(/xsss/)</script>, because when the input is echoed, it's not within any other tag, therefor no need to end one--> <b><script>alert(/xsss/)</script><b>


[img][/img]img164.imageshack.us/img164/5713/perlvl0.jpg

clone4.freehostia.com/ubuntu_3.png
spyware - "They see me trollin'..."
<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl



Edited by clone4 on 05-10-08 12:50
clone_4@hotmail.com
Author

RE: xssed trouble...


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-10-08 12:54
I think it should be done like this:
For example if there is a login screen and when you input some xss
use livehttpheaders and see how it sends it.
Then use that part to submit the xss to xssed.
Example:

img152.imageshack.us/img152/3091/postft0.jpg

Code
Author: (e.g.: your full name):    loxaXcracker
URL:    www.somesite.com/login.php
Post: Username=%27%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E&Password=%27%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E








Author

RE: xssed trouble...


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-10-08 13:14
OK But then why is it that one of the sites you don't need the "> part?
P.S The source looks like this:
Code
<input id="search_term" name="SEARCH_REQUEST._search_term" value="<script>alert(/xssed/)</script>" maxlength="40" size="13" class="txtBox" onfocus="this.select();"/>





Author

RE: xssed trouble...


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-10-08 15:29
I don't see why you wouldn't need it on that one as well.


Author

RE: xssed trouble...

yours31f
Member



Posts: 1678
Location: Dallas Texas
Joined: 27.04.07
Rank:
Elite
Posted on 05-10-08 16:12
It just depends on the script. sometimes you need it, other times you don't. I have noticed that you need it on the more basic ones, But thats not to say that you may not need it for another one that left that part out.


Debugging is what programmers do to beta software to make it take up more room on your hard drive if it is running too efficiently.


img259.imageshack.us/img259/3713/sigr.png

yours31f@live.com yours31f@yahoo.com rpwd.info
Author

RE: xssed trouble...

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 05-10-08 16:15
yours31f wrote:
It just depends on the script. sometimes you need it, other times you don't. I have noticed that you need it on the more basic ones, But thats not to say that you may not need it for another one that left that part out.


DISREGARD ELEMENTAL PROOF. 50% CHANCE ON EVERYTHING!



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: xssed trouble...

yours31f
Member



Posts: 1678
Location: Dallas Texas
Joined: 27.04.07
Rank:
Elite
Posted on 05-10-08 16:17
I agree, It's always good to try it.


Debugging is what programmers do to beta software to make it take up more room on your hard drive if it is running too efficiently.


img259.imageshack.us/img259/3713/sigr.png

yours31f@live.com yours31f@yahoo.com rpwd.info
Author

RE: xssed trouble...

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 05-10-08 16:19
yours31f wrote:
I agree, It's always good to try it.


DISREGARD SARCASM. PLEASE DIE, YOU SMART GUY, YOU.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s

Edited by spyware on 05-10-08 16:22
http://bitsofspy.net