Dashboard Articles Playground Discussions More
Follow

Javascript Alerts

Ammon Sprayberry [AlienWars]
10 years ago

0

Thought that I might come here to ask about this… I’ve seen people use things like javascript:alert(document.cookie) and I was looking into it more but, haven’t really found much. So does anyone know of a good website or tutorials or anything? Any help is appreciated thank you.

 

Please try this site. Props to @jayssj11! Looks good!
http://elitesforum.cu.cc/index.php

8replies
4voices
222views
[deleted user]
10 years ago

0

I don’t understand what you’re asking about :) the javascript: directive or the document.cookie part?

Be aware that alerting cookies wont work if they have the HttpOnly flag set :)

tripleedged
10 years ago | edited 10 years ago

1

Hi there,
I don’t know if you already know about OWASP, but they feature all major vulnerabilities. You are looking for “cross-site scripting” sometimes called CSS or more often XSS, so it doesn’t confuse with Cascading style sheets. Another term would be “session riding”.

Have a look here:
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

There are some examples there and there is also a cheat sheet how to prevent something like that from happening here:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

Maybe wikipedia is a good start as well, but I guess OWASP covers it in more detail…

Have fun!

dit:
Since sabertooth mentions the alert() thing: Mostly the alert() is only to check if it is possible to inject arbitrary script code. The actual attack uses something like src-attribute of iframes or image-tags to send the victims cookie to your server. But if you have a look at the pages I posted above, there are some examples…

Ammon Sprayberry [AlienWars]
10 years ago

0

Thank you. Help with either directive or the document.cookie part would be appreciated.

 

Please try this site. Props to @jayssj11! Looks good!
http://elitesforum.cu.cc/index.php

Cyan Wind [freewind1012]
10 years ago

0

It seems that XSS is so hot these days. Maybe I should take a look this way. ;)

 
![Image](https://www.hackthis.co.uk/user/userbar.png?user=freewind1012%20//%20Navigator)
[deleted user]
10 years ago | edited 10 years ago

0

@freewind1012 I’ve personally found the opposite :) Many browsers these days have xss protection and there are site headers which mostly mitagate the issue. Couple this with cookie flags like HttpOnly, and most common frameworks having inbuilt protection.
Of course it’ll never fully be wiped out, but more and more I think we’re seeing xss as an attack vector which is on the decline.

Cyan Wind [freewind1012]
10 years ago | edited 10 years ago

0

@sabretooth: Yeah, I have no argument about the technical side. The more people aware of this exploitation, the better it will get “treated”. The “hot” thing which I said, maybe, is relevant to HackThis!! levels. ;)

 
![Image](https://www.hackthis.co.uk/user/userbar.png?user=freewind1012%20//%20Navigator)
[deleted user]
10 years ago

0

@freewind1012 Now it makes more sense ;)

For those wanting a quick XSS challenge (no registration), check this out by Google:
https://xss-game.appspot.com/

Ammon Sprayberry [AlienWars]
10 years ago

0

Thanks for all the info. Will keep the thread open for now

 

Please try this site. Props to @jayssj11! Looks good!
http://elitesforum.cu.cc/index.php

You must be logged in to reply to this discussion. Login
1 of 9

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss