Friday, October 09, 2015 Login · Register


Remember Me

Not a member yet?
Click here to register.

Forgotten your password?
Request a new one here.


    Users Online
  • · Members on IRC: 0   
  • · Total Members: 21,863
  • · Newest Member: bounou212


        Related Ads



        Top 10 Forum Posters
    Null Set883   


  • iExploit

  • iExploit

  • WeChall



        Related Ads

    View Thread
    Security Override Security Website Security
    Help with ASP.NET XSS
    Register FAQ Members List Today's Posts Search

    Print Thread
    04-11-2014 12:41 PM Help with ASP.NET XSS | Edited by ChaoticWind 04-11-2014 12:53 PM
    I'm pretty new to XSS, and this post may be a bit long so please bear with me.

    I have a page that uses ASP.NET 1.1.4233 to login, when the login fails it shows at the top of the page "Username [username] not valid". When I put
    Download source  Code
    <IMG SRC="" >

    in the Username box, it shows the image because it does not sanitize the input and proves that code can be injected into the page. Now I want to create a URL that passes that to the page when clicked on. The page uses POST to pass the variables when you try to login, so I tried to create a page that had something like:
    Download source  Code

    <form method="POST" action="" name="FormX" >
    <input type="hidden" name="username" value="X<IMG SRC="" >" />
    <input type="hidden" name="pass" value="fail" />

    But when I would click on it, I would be taken to the normal page and nothing would happen. So then I tried to use the __VIEWSTATE variable in the url like so:

    This works for a little while but after like 5 minutes when I try to go to the link, I am redirected to the site's /DefaultErrorPage.aspx?aspxerrorpath=/SA/Default.aspx which says:

    Error Message:Username and password combination not valid!
    Technical Message:Thread was being aborted.
    Calling Stack:_btnLogin_ClickParameter List:

    Does anyone know why it only works for a few minutes or how I can make the url last longer? Again, I'm pretty new to XSS, and I don't know much about ASP.NET.
    Jump to Forum:
    Forum powered by fusionBoard