So a while ago I asked if I was allowed to play with http://www.bravadogaming.com/ and I got a positive response, I kinda looked around at their custom CMS, didnt see anything immediately available, playing with cookies, changing values here and there, got some SQL errors on http://www.bravadogaming.com/articles/%27%20OR%201=1%20#/ but nothing really spectacular:
I looked around some more, nothing really special, played with register and login, seemed okay.. decided to make an account and see what options I had. Please note I did not even REMOTELY test everything, i was really just messing around. First thing I saw was that people where big on blogs, blogs are linked by categories and blogs in the same categories show similar blogs, heres my first blog:
I started looking into messing with stuff, coming from a bit of a webdev background, immediately hit up some jscript, ie <script>alert(‘AndrewMohawk is AWESOME’);</script>.
Sure enough out the bag, xss is firing.
Even better.. XSS is persistent, not only on my entry, but on the titles being pulled from other articles in the same category (uncategorized)…
So now we have that, now what?
Recent Posts
- Magnetic Stripes: Part 2 (Attacking)
- Bypassing LF Entry Systems
- zacon wrap-up!
- Hacking fixed key remotes
- Arduino Watering System: Update
What?
Tag cloud
Aiken Biphase
airodump-ng
AlchemyAPI
alerting
Arduino
Badges
botnet
c++
client side attack
cross site scripting
denial of service
facebook
facebookGraphAPI
facial recognition
google
google earth
GPS
GraphAPI
information leak
IPCam
LCD
LED
Magstripe
Maltego
mIRC
MusicBee
NER
NLP
pastebin
php
proxy
RTLSDR
Security
Serial
Servo
slowloris
Soil Moisture
Soil Sensor
SQL injection
tcp
VMWare
Water Pump
Webcam
xss
ZACon Coding (25)
General (8)
Magnetic Stripes (2)
Pastebin (6)
RFID (1)
RTLSDR (2)
Security (20)
WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.
Donate
Archives
Created by Site5 WordPress Themes.
Experts in WordPress Hosting.