This preview shows page 1. Sign up to view the full content.
Unformatted text preview: orld’); </script>
Once you do that you will find that Gruyere gives a url where the file was uploaded. You
can then craft an attack (Ex: phishing) by sending such urls as part of an email. Typically
such links are obfuscated to hide the real intent. The obfuscation is usually done using an
encoder such as http://meyerweb.com/eric/tools/dencoder/ or a tiny url service such as
goo.gl Web Exploitation and Vulnerabilities
Exericise 2b Stored XSS
What we want to do is put a script in a place where Gruyere will
serve it back to another user
Create new snippets by testing the following scripts
(1) <a onmouseover="alert(1)" href="#">read this!</a> Web Exploitation and Vulnerabilities
Elevation of Privilege
Convert your account to an administrator account
• Take a look at the Profile page ( /editprofile.gtl ) page that users and
administrators use to edit profile settings. If you're not an administrator, the
page looks a bit different.
• Can you figure out how to fool Gruyere into letting you use this page to
update your account?
• Using the document.cookie script you used earlier get an idea of how Gruyere issues cookies hash|username|admin|author
Assuming that the username of the admin account is ‘foo’ you can create a new account with
When you log into this account, it will issue you the cookie hash|foo|admin|author||author which
actually logs you into foo as an administrator
Check the Profile page now and see if you’ve got the admin rights !!
This procedure used cookie manipulation and elevated the privilege rights...
View Full Document
This document was uploaded on 04/04/2014.
- Spring '14