XSS-Proxy PoC

The other day, i was thinking about how can i actually get more sales during a meeting session with customers and with the current bloom of hacking websites, i thought its time to actually show customers of what i can do and the impact of a XSS vulnerability. I referred to the book "XSS Exploit and Defence" by Jeremiah and Rsnake and i decided to go with a tool called the XSS-Proxy. All i can say is this tool is really light and easy to use. All you need is just perl and a webserver to be running on your machine and one would have to just launch the listener from there on with the command "perl XSS-Proxy-shmoo_0_0_11" in the command prompt. Anton Rager actually spend some time with me explaining to me how this tool works and the impact of an XSS. I would like to thank him here for his time and effort. If those of you guys who would love to try this tool, download it at http://xss-proxy.sourceforge.net. There is also Advanced XSS attacks and a mini whitepaper for further knowledge reading.

First to startup xss-proxy:


Then inject a script tag into the victim page, be it persistent or reflected, try it to realised it.


The admin page contains the links that the victim had visited, and by clicking those links, you can choose to redirect and hijack the victim browser under the same document domain


A sample of the redirect attack. Observe the below grey bar with "Opening page.."
This is achieved through by clicking on the admin page on one of the links the victim had visited and i wanted the victim to visit another page, so i choose the link i wanted the victim to visit and click on it. On the victim side, he will automatically be redirected to the page i chosed.


And finally, i can even proxy javascript injection on the victim browser. A simple one would be alert('XSS');


The Hacka Man