Help hacking Guestbook

ghost

0 0

17 years ago

Hello,

I have been playing around with this guestbook application lately, and I think its vulnerable to XSS. I'll explain:

I first tried

&lt;script&gt;

in the comment box, and after quite anumber of tests, I figured, it won't allow the word <script>, or even <s. So to make a long story short, I have figured a way around this by "HTML entities encoding" the <script> string, so it passes, so I submitted:

&lt;script language = &quot;Javascript&quot;&gt;alert(&#39;Hello&#39;);&lt;/script&gt;

So that managed to get past the filter, but when I viewed the guestbook, the string:

&lt;script language = &quot;Javascript&quot;&gt;alert(&#39;Hello&#39;);
 &lt;/script&gt;

why was there in plaintext, why didn't the application interpret and output it as javascript? Also it allows images too, is there anything I can do with that?

Thanks.

ghost

0 0

17 years ago

The first javascript example was supposed to be encoded, guess this board did the same..

ghost

0 0

17 years ago

Double post..

ghost

0 0

17 years ago

Are you sure that HTML is allowed?

Type something like

markup<b>Cool</b>site!

If Cool is in bold..then i can't help you any further, if it is not in bold, then i still cant help you any further.

ghost

0 0

17 years ago

if they have tags like we have here using markup ** bold ** and such, you can find a way to escape that…or use the url one to make a javascript url that automatically redirects or something

ghost

0 0

17 years ago

Thanks for the replies, yes they allow HTML, you can choose between that and plain text, I'll just play around with it a bit more, if you want, PM me and I'll give you the URL, and we can work on it together. Thanks anyways.

ghost

0 0

17 years ago

if they use tags like [b] instead of <b> What do you do?

ghost

0 0

17 years ago

i found xss vunrability in a search engine that enables javascript and html injection. and i dono wer to go further with it too, what scripts/commands should i inject?:|