How to Crack a Website - XSS, Cookies, Sessions - Slashdot

Become a fan of Slashdot on Facebook

×

How to Crack a Website - XSS, Cookies, Sessions 167

Posted by CmdrTaco on Monday August 14, 2006 @04:48AM from the waste-your-time dept.

twistedmoney45 writes "Informit.com provides an insiders look at a real life XSS attack and how it was used to bypass the authentication scheme of an online web application, leading to "shell" access, an admin account, and more. XSS attacks are often discussed in theory — this walk through illustrates just how dangerous these types of attacks can be in reality."

This discussion has been archived. No new comments can be posted.

How to Crack a Website - XSS, Cookies, Sessions

Search 167 Comments Log In/Create an Account

Comments Filter:

So... (Score:5, Funny)

by cp.tar ( 871488 ) writes: <cp.tar.bz2@gmail.com> on Monday August 14, 2006 @04:52AM (#15901313) Journal

... can I crack pr0n sites with it?

(This would have even been a frosty piss if it weren't for a Slow Down Cowboy!)

Share
twitter facebook
Requires social engineering (Score:5, Funny)

by cras ( 91254 ) writes: on Monday August 14, 2006 @05:18AM (#15901372) Homepage

The most problematic part from the article:
The end result was that I had to make a user click on a link that first took the victim to my server

I think this is the reason why people aren't that concerned about XSS. This requires that the attacker knows someone who has access to the web site and a way to get him to click on the link. I would certainly never click on a suspicious looking link. But sure, not everyone does that and if there are other post-login holes to get yourself into an admin, that's a problem for you too.

One thing that annoys me when discussing XSS problems and such is that people always just suggest to validate input. I've built perfectly secure PHP applications that don't validate input at all, they just don't print the output using "print" but another function that properly escapes the output. So much more easier that way than having to think about input validation for every single new field you add.

Share
twitter facebook
Re:I knew, but... (Score:4, Funny)

by flumps ( 240328 ) writes: <matt.corby@gBALDWINmail.com minus author> on Monday August 14, 2006 @08:01AM (#15901712) Homepage

.. Nobody can pwn me, I use IIS!!

Parent Share
twitter facebook
Re:Boring... (Score:1, Funny)

by Anonymous Coward writes: on Monday August 14, 2006 @08:01AM (#15901714)

Yup, Somebody Cracked Slashdot [slashdot.org]

My favorite quote from said article:
our db stores passwords in plaintext. Yes it's stupid, but I wrote this code 3 years ago and had no clue

Parent Share
twitter facebook
Meh. (Score:2, Funny)

by goldenratiophi ( 878655 ) writes: on Monday August 14, 2006 @08:38AM (#15901838)

I was just hoping for a text box and a button saying "Crack Website!"

Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

413 commentsChatGPT Leans Liberal, Research Shows
347 commentsAmazon CEO Says 'It's Probably Not Going To Work Out' For Employees Who Defy Return-to-Office Policy
327 commentsHotel Owners Start To Write Off San Francisco as Business Nosedives
323 commentsChina is Building Nuclear Reactors Faster Than Any Other Country
315 commentsChina is Calling in Loans To Dozens of Countries

"When the going gets tough, the tough get empirical." -- Jon Carroll