+ Reply to Thread
Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13
Like Tree1Likes

Thread: Xss through sqli ? Share/Save - My123World.Com!

  1. 02-22-2012, 10:15 AM #11
    amolnaik4
    amolnaik4 is online now
    Web Security Consultant amolnaik4 is a jewel in the roughamolnaik4 is a jewel in the roughamolnaik4 is a jewel in the rough amolnaik4's Avatar
    Join Date
    Jul 2011
    Location
    webr00t
    Posts
    230
    Blog Entries
    3
    Thanks
    15
    Thanked 149 Times in 87 Posts


    vinnu, i guess u mis-understood this. This was a concept. I know, as u mentioned, XSS now a days nobody uses for cookie stealing/session hijacking things. But this concept was related to security assignment not some underground hacking. We can not simply infect the admin with Malware2.0 just to make our point. But when the situation like this arises in assignments, we demonstrated the practical implementation of the concept which can be carried out for assignments.

    Hope you get it this time.

    AMol NAik
    AnArKI likes this.
    Reply With Quote Reply With Quote
  2. 02-23-2012, 08:43 AM #12
    "vinnu"
    "vinnu" is online now
    Security Researcher "vinnu" will become famous soon enough"vinnu" will become famous soon enough "vinnu"'s Avatar
    Join Date
    Jul 2010
    Posts
    207
    Blog Entries
    2
    Thanks
    142
    Thanked 116 Times in 63 Posts
    Namaste

    Sorry for my comments, I thought why you were missing the precious point, now cleared. Thanx for clarification and many many congrats to garage members in nullcon.


    "vinnu"
    Reply With Quote Reply With Quote
  3. 02-23-2012, 12:58 PM #13
    amolnaik4
    amolnaik4 is online now
    Web Security Consultant amolnaik4 is a jewel in the roughamolnaik4 is a jewel in the roughamolnaik4 is a jewel in the rough amolnaik4's Avatar
    Join Date
    Jul 2011
    Location
    webr00t
    Posts
    230
    Blog Entries
    3
    Thanks
    15
    Thanked 149 Times in 87 Posts
    Quote Originally Posted by mandi View Post
    I am bit confused about this point especially about the word "same port",can you please clarify mate ?
    This is required to work CORS and requirement for Same Origin Policy. If the protocol/domain/port mismatches, SOP will prevent the communication.

    The "httpOnly" cookies will have no meaning in this case as with XSS in main site will only have access to cookies of main site, not the Admin panel one. I came to know this while testing it on setup. I'll strike it out.

    Now checking you post about "httpOnly" cookies and will try to answer it.

    AMol NAik
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules