Oct 8, 2011
Clickjacking for Shells
Andrew Horton (urbanadventurer) presented Clickjacking for Shells at the OWASP Wellington, New Zealand Chapter Meeting on September 20th, 2011.
Two years after the world was warned about clickjacking, popular web apps are still vulnerable and no web app exploits have been published. With many security pros considering clickjacking to have mere nuisance value on social networks, the attack is grossly underestimated. I will demonstrate step by step how to identify vulnerable applications, how to write exploits that attack web apps and also how to protect against clickjacking. To demonstrate this issue I will publish an 0day clickjacking exploit for WordPress v3.1.2 and earlier to gain a shell on the webserver. In May this year the tech media reported and speculated upon clickjacking protection being implemented in WordPress and now I will show you why it is so important.
# ITS © # 2009 - 2011
Feb 16, 2011
Feb 8, 2011
XSS Shell Zombie Manager
XSS Shell is powerful a XSS backdoor and zombie manager. This concept first presented by "XSS-Proxy - http://xss-proxy.sourceforge.net/". Normally in XSS attacks attacker has one shot, in XSS Shell you can interactively send requests and get responses from victim. you can backdoor the page.
You can steal basic auth, you can bypass IP restrictions in administration panels, you can DDoS some systems with a permanent XSS vulnerability etc. Attack possibilities are limited with ideas. Basically this tool demonstrates that you can do more with XSS.
You can steal basic auth, you can bypass IP restrictions in administration panels, you can DDoS some systems with a permanent XSS vulnerability etc. Attack possibilities are limited with ideas. Basically this tool demonstrates that you can do more with XSS.
# ITS ©
# 2009 - 2011
Subscribe to:
Posts (Atom)