Tuesday, September 02, 2014 Login · Register
    Login
Username

Password


Remember Me

Not a member yet?
Click here to register.

Forgotten your password?
Request a new one here.

 

    Users Online
  • · Members on IRC: 28   
  • · Total Members: 16,001
  • · Newest Member: adam69
  •  

     

        Related Ads
     

     

     

        Top 10 Forum Posters
    UserPosts
    bluechill1411   
    madf0x1291   
    cruizrisner1062   
    Qwexotic1034   
    Null Set870   
    Override604   
    auditorsec603   
    godofcereal599   
    TurboBorland585   
    Teddy477   
     

        Affiliates




  • iExploit


  • iExploit


  • WeChall





  • Thisislegal.com

  •  

        Related Ads
     

    View Thread
         
    Security Override Security Website Security
    Help with ASP.NET XSS
    Register FAQ Members List Today's Posts Search

    Print Thread
    04-11-2014 12:41 PM Help with ASP.NET XSS | Edited by ChaoticWind 04-11-2014 12:53 PM
    I'm pretty new to XSS, and this post may be a bit long so please bear with me.

    I have a page that uses ASP.NET 1.1.4233 to login, when the login fails it shows at the top of the page "Username [username] not valid". When I put
    Download source  Code
    <IMG SRC="http://foor.com/bar.png" >


    in the Username box, it shows the image because it does not sanitize the input and proves that code can be injected into the page. Now I want to create a URL that passes that to the page when clicked on. The page uses POST to pass the variables when you try to login, so I tried to create a page that had something like:
    Download source  Code

    <form method="POST" action="https://example.com/Default.aspx" name="FormX" >
    <input type="hidden" name="username" value="X<IMG SRC="http://foo.com/bar.png" >" />
    <input type="hidden" name="pass" value="fail" />
    <script>
    document.FormX.submit();       
    </script>
    </form>




    But when I would click on it, I would be taken to the normal page and nothing would happen. So then I tried to use the __VIEWSTATE variable in the url like so:

    This works for a little while but after like 5 minutes when I try to go to the link, I am redirected to the site's /DefaultErrorPage.aspx?aspxerrorpath=/SA/Default.aspx which says:

    Error Message:Username and password combination not valid!
    Technical Message:Thread was being aborted.
    Calling Stack:_btnLogin_ClickParameter List:

    Does anyone know why it only works for a few minutes or how I can make the url last longer? Again, I'm pretty new to XSS, and I don't know much about ASP.NET.
     
    Offline
    Jump to Forum:
    Forum powered by fusionBoard