Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] xss problems

from [Deepan] Network Security [Permanent Link]
Subject: [Full-disclosure] xss problems
Date: Tue, 26 Dec 2006 15:17:23 +0800 
Hi All,
 The following sites have XSS problems

1)  http://chennaionline.com/search/  ( the first search box ) 

The user input for search is later displayed in the result page. No
filtering is done to remove Java Scripts in the query. 


2) http://www.sdbj.com/forgot.asp  

        user is a valid field in the table where email is stored. 

3) http://www.visionoss.com/login/forgotpassword/

     userEmail is a valid field in the table where email is stored. 

I had reported my findings. I am just trying to learn the basics of XSS.
I have few doubts. The site 

http://www.xdisclose.com/tools/yahoocookiepoc.html is capable of
decrypting yahoo cookies. I fail to understand how they decrypt the user
name, dob and country details from cookie.

The relavent cookie contents are 

Y=v=1&n=3nkia0lkek00v
l=h4fb820j4c08b/o
p=m2kvvin013000000
jb=16|47|
iz=600042
r=ak
lg=us
intl=us
np=1


l stands for username, 
p stands for country, year of birth, gender 


Can someone tell me how xdisclose.com tools decrypt username, country,
year of birth and other details. 

-- 
-----------------------------------------------
Regards
Deepan Chakravarthy N
http://www.codeshepherd.com/
http://sudoku-solver.net/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] logahead UNU edition 1.0 Remote upload file & code execution, corrado.liotta
Next by Date:  Re: [Full-disclosure] xss problems, Deepan
Previous by Thread:  [Full-disclosure] logahead UNU edition 1.0 Remote upload file & code execution, corrado.liotta
Next by Thread:  Re: [Full-disclosure] xss problems, Deepan
Indexes:  [Date] [Thread] [Top] [All Lists]