today i am going to tell you about an exploit on a live site. www.toptalent.in. You are advised not to reproduce the attack under any circumstances. So lets start. What do we need to know??
Lets say a basic
javascript
works just awesome.The name to this attack is XSS or better known as cross site scripting. How to follow on this attack well it is simple it takes the advantage of the fact that toptalent.in does not sanitize the input they recieve from customers . and also on the fact that a browser has a Javascript Engine which can run any scriptsNow to get started you will need to go to the employers account. A Fake account just works fine and that only requires a simple email id to validate. Once you are set to make this account go over to change the name of the company . well dont name your company but yet better simply insert script in this field so as to finish the stage of XSS attack.lets say a simple script like
<script>alert("Y0u R 0wn3d");</script>
should work just fine. Login again using you employers account and see the change. This type of XSS is called stored XSS vulnerability and could be seen in many places and is used mostly in defacing websites with a little creativity.
Going a step further i realized that the name of the new companies was also stored in the homepage. Well lets say i exploited that vulnerability by changing name of the company a little and got my own message right across the home page
No comments:
Post a Comment