Friday, August 19, 2011

Harvesting Cross Site Scripting (XSS) Victims - Clicks, Keystrokes and Cookies

A couple of years ago I was inspired by @fmavituna's work on XSS Shell and decided to write a new extended version (XSS-Shell-NG) using a PHP and a MySQL backend rather than the ASP/Access combination of the original. I never released the tool publicly, as my main aim of making XSS Shell easier to use was never really accomplished; it still required a significant amount of set up to get it working. However, one thing that both tools did well once working was to demonstrate the real business impact of cross-site scripting.

To demonstrate the real business impact of cross site scripting I have developed a completely new tool from the ground up - XSS-Harvest. It is multi-threaded pre-forking web server written in Perl, and requires no dependencies other than a couple of common Perl modules; you do not need a web server or database to use this tool. Before going into the detail, I'll list the high level functionality below:


Download XSS-Harvest :

XSS Attacks: Cross Site Scripting Exploits and DefenseThe Web Application Hacker's Handbook: Discovering and Exploiting Security FlawsSQL Injection Attacks and DefenseHacking: The Next Generation (Animal Guide)Seven Deadliest Web Application Attacks (Seven Deadliest Attacks)

No comments:

Post a Comment