xssed trouble...
OK Basically when I submit a xss link to xssed.com and it uses POST for some reason it never shows up….So I was wondering am I doing this right?: NAME:SaMTHG URL:http://www.the_xss_vulnsite.com/search.php POST:"><script>alert("XSS")</script> IMG:The verification numbers/letters
Because I've now submitted at least 15 different sites using POST and none have shown up..only those that have the XSS in the URL. Thanks
SaMTHG wrote: So when I put "> into the POST field what I'm doing is inserting script into the source but how do they know when to use "> on the site and when not to?
Maybe you should learn what happens with XSS. When you insert a "> you are breaking out of an input field that has your input in it. For instance, let's say you type in:
test
The server could output:
<form action="" method="post">
<input type="text" value="test">
<input type="submit" value="Search">
</form>
If that happens, then you would try to type "><script>alert(1);</script>. If it's vulnerable, the page will output something like:
<form action="" method="post">
<input type="text" value=""><script>alert(1);</script>">
<input type="submit" value="Search">
</form>
If it isn't, it will output:
<form action="" method="post">
<input type="text" value="&quot;&gt;&lt;script&gt;alert(1);&lt;/script&gt;">
<input type="submit" value="Search">
</form>
Edit: I wish hbh would filter ampersands so I wouldn't have to type out all of the ampersands with &
SaMTHG wrote: I know how XSS works I'm just wondering if I only put in <script>alert(stuff here)</script> and on the site I used the XSS on I used "><script>alert(stuff here)</script> and it works and doesn't work without the "> then what do the staff of xssed do???
It's already been explained. Usually the input will be echoed in the page as for example <input type="text" value=$input>, or I don't know even <a href=$input>something</a>. if you input just <script>alert(/xsss/)</script> it will result in <input type="text" value="<script>alert(/xsss/)</script>">,thus not being executed, because you are still within the <input> tag. But if you use "><script>alert(/xsss/)</script> you end up with <input type="text" value=""><script>alert(/xsss/)</script>"> so input tag is properly ended and then your script inserted and executed. Whereas if the input was echoed just like <b>$input</b>, you could use just <script>alert(/xsss/)</script>, because when the input is echoed, it's not within any other tag, therefor no need to end one–> <b><script>alert(/xsss/)</script><b>
I think it should be done like this: For example if there is a login screen and when you input some xss use livehttpheaders and see how it sends it. Then use that part to submit the xss to xssed. Example:
URL: www.somesite.com/login.php
Post: Username=%27%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E&Password=%27%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E
OK But then why is it that one of the sites you don't need the "> part?
P.S The source looks like this:
markup<input id="search_term" name="SEARCH_REQUEST._search_term" value="<script>alert(/xssed/)</script>" maxlength="40" size="13" class="txtBox" onfocus="this.select();"/>