« Home | XSS » | Understanding file permissions on Linux » | Processors overview » | HTTP Compression » | perl editors » 

Thursday, October 19, 2006 

Cool I am successfull !! in XSS attack!!

Huh after 10hours of my hardwork I finally managed to do an xss attack against dictionary.com
The site was pretty easy to attack.... they are not doing much validation at all.. you want to see what id did :) click here (Hmm.. wait for the page to load copmletely ... :( well I need to manipulate some javascript to make it load fast.. but hey .. I am not using the exploit... so i think its fine to live with it for now)

So what did you observe in that page? ...
The domain in the url points to dictionary.com and the page asks you to sign up for a paid service to use it.... hmm.. thats all you submit your credit card info boom... nothing happens :).Actually I know that no one is going to get trapped for that stupid interface I gave...so I set the action for that form to "about:blank". If we want we can set the action of that form in such a way that the credit card info when submitted through this form gets mailed to my Id.

Any ways ... the interface is pretty premitive.. we can make it more cool with some javascript.. that makes the user think that the page is from dictionary.com only... (for instance if he seaches again ..he will not see the payment page ...with the current interface.. we can change that with a little bit of javascript...)..

Any ways if you want to know how i did that just .. decode the url I gave in "click here" link above.. download the script it is pointing to and explore further.... Happy Hacking :)

Seems the dictionary.com guys have updated their site.. so the link is not working...

Post a Comment