[OWASP-Security101] Help with Proof of Concept - XSS

psiinon psiinon at gmail.com
Thu Jun 28 08:15:18 UTC 2012

Hi Patrick,

The important thing to look at is the context within the html in which your
attack is injected.
If you're not getting a popup then it implies the attack is currently in a
'safe' context, which you will need to break out of.
For example, your string might be in an html comment:
<!-- <script>alert(1);</script> -->
In order to break out of the comment context you would need to supply a
string like:
If you could send the surrounding html (removing anything which could help
identify the site) then we might be able to suggest suitable attacks.

As for showing the owner something scary - how about injecting content that
shows a login screen, or a message that says they've been taken over by a
competitor? (2 of my favorites;)

However be aware that if you havnt been explicitly asked to test this site
then you need to tread very carefully!
While some site owners might be grateful for your unsolicited input, others
might might react badly and accuse you of attacking their site.



On Thu, Jun 28, 2012 at 3:49 AM, Patrick Laverty
<patrick_laverty at brown.edu>wrote:

> I've identified a site where I can inject anything into the source,
> like basic text, html tags or images from any other site. I'd like to
> show the owner something a little more scary than that. I tried to add
> in <script type='text/javascript'>alert(1)</script> and that does go
> into the source, but I don't get the alert box to show. I did turn off
> my popup blocker in the browser. I tried most of the suggestions from
> the rsnake cheat sheet too.
> Any suggestions on what I could be missing?
> Thank you.
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org

OWASP ZAP: Toolsmith Tool of the Year

More information about the Security101 mailing list