[OWASP-Security101] Help with Proof of Concept - XSS

Owasp-Manila michael.dungog at owasp.org
Thu Jun 28 03:17:00 UTC 2012


Hi Patrick,

I suggest that do not try any of rsnake cheat sheet examples on any web applications or system unless you have permission from the system owner. I guess that is the most important thing you are missing.

Build your own pentest lab and learn from it. You can play with the following vulnerable systems or google it for more.

http://code.google.com/p/webgoat/
https://github.com/adamdoupe/WackoPicko
http://www.dvwa.co.uk/
https://github.com/SpiderLabs/SQLol


Regards,

Michael

On Jun 28, 2012, at 10:49 AM, Patrick Laverty <patrick_laverty at brown.edu> wrote:

> I've identified a site where I can inject anything into the source,
> like basic text, html tags or images from any other site. I'd like to
> show the owner something a little more scary than that. I tried to add
> in <script type='text/javascript'>alert(1)</script> and that does go
> into the source, but I don't get the alert box to show. I did turn off
> my popup blocker in the browser. I tried most of the suggestions from
> the rsnake cheat sheet too.
> 
> Any suggestions on what I could be missing?
> 
> Thank you.
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org


More information about the Security101 mailing list