OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Looking for a Web Application Vulnerable to XSS Cookie Grab

From: CFW (cfw_securitycomcast.net)
Date: Mon Nov 08 2004 - 12:55:39 CST

Mark,

    Thanks for the response and thanks for writing a great learning tool.

    Maybe I am just not doing something right, but it looks to me like
the Stored XSS is not really exploitable because a given user will never
see another user's posts to the message board. Am I missing something?

Chuck

Mark Curphey wrote:

>Hacme Bank has both reflective and stored XSS already so what you are asking
>for is already there.
>
>We will have a new version due out around Jan 2005. I am taking feature
>requests ;-)
>
>-----Original Message-----
>From: CFW [mailto:cfw_securitycomcast.net]
>Sent: Friday, November 05, 2004 4:33 PM
>To: webappsecsecurityfocus.com
>Subject: Looking for a Web Application Vulnerable to XSS Cookie Grab
>
>Hi all,
>
> I am setting up a lab to learn about web application security and I have
>been messing with WebGoat and Foundstone's HacmeBank and found them to be
>very useful learning tools. One thing lacking in them (from what I can
>tell) is a multiuser, XSS Cookie Grabbing example.
>
> Basically, I would like to have a little application (or part of one of
>these applications) that one (malicious) user can log in to and post a XSS
>cookie grabber to a forum or guestbook or something. Then, the attacker
>fires up a listener until another user logs in and hits the script, sending
>the cookies to the listener. Then, the first user can change his cookies,
>and see clearly that the web application thinks it is the second user. Does
>anyone know of such an application?
>
> The Foundstone Hacme Bank is almost there in that it has a "Post
>Message" section that is vulnerable to XSS, but it is set up so that each
>user sees only their own messages, so it is not possible to post a malicious
>script to someone else. If the Foundstone people are reading this, have you
>considered changing this behavior?
>
> While I am asking, are there any other web applications like these that
>I should set up? I looked at WebMaven, but it looks like that has been
>overtaken by Hacme and Webgoat (correct me if I am wrong). Someone
>mentioned a while back on pen-test that you could use an old version of
>PHP-Nuke as a vulnerable site since it has a lot of known issues. Has
>anyone done this and have any hints on what version is the most useful in
>this respect (most vulnerable I guess)?
>
> Thanks a bunch and have a good weekend.
>
>Chuck
>
>
>
>