XSS Missions Feasible?

Got an idea on how things should be done? A problem with something on the site? Voice your opinion!

XSS Missions Feasible?

Post by thedotmaster on Mon Jun 16, 2008 2:50 pm
([msg=4975]see XSS Missions Feasible?[/msg])

Hey guys,
XSS is quite a widespread vulnerability (49% sites vulnerable, etc) and one that is ideal for the younger users to learn as a starter.
But no XSS missions? The response from the devs is that it's too hard to monitor whether the person who attempts the mission has actually completed it.
Let's say the challenge (lol) is to make an alert box come up (challenging shit) - the answer would be <script>alert(/xss/)</script> and a few variations of that.
http://www.hackthissite.org/missions/xs ... ate.php?q=<script>alert(/xss/)</script> could register the fact that the user has completed it, right?
What else could you do with the XSS? Perhaps using " to escape inputs in a form and add other details that are then submitted? I'm not sure.
Anyone else got any ideas?
Image
User avatar
thedotmaster
Contributor
Contributor
 
Posts: 984
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)


Re: XSS Missions Feasible?

Post by Nines on Mon Jun 16, 2008 3:32 pm
([msg=4979]see Re: XSS Missions Feasible?[/msg])

It's easy to tell with an alert box, but different people use different syntax and the more in-depth the challenges get, the longer the answers get. Then you need more validation of answers. We've seen what happened with Extbasic.7 when you can have more than one possible solution to a mission. People get pissy over it and end up disliking the challenge. :/
User avatar
Nines
Poster
Poster
 
Posts: 191
Joined: Sun Apr 13, 2008 5:57 pm
Blog: View Blog (0)


Re: XSS Missions Feasible?

Post by koryo on Tue Jun 17, 2008 7:29 am
([msg=5029]see Re: XSS Missions Feasible?[/msg])

i don't see why people should get pissy over it, they are here to learn, so when they learn a method that works on a mission, telling them to go back and revisit it, and try a different method should be welcomed, as it is yet another learning experience...
koryo
New User
New User
 
Posts: 3
Joined: Mon May 19, 2008 4:23 pm
Blog: View Blog (0)


Re: XSS Missions Feasible?

Post by thedotmaster on Tue Jun 17, 2008 4:12 pm
([msg=5069]see Re: XSS Missions Feasible?[/msg])

Of course there are more possible answers but couldn't someone write a bit of code that looks for certain elements, e.g. "<input", or something similar, rather than the entire string?
Image
User avatar
thedotmaster
Contributor
Contributor
 
Posts: 984
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)


Re: XSS Missions Feasible?

Post by Mindzai on Wed Jun 18, 2008 5:20 pm
([msg=5185]see Re: XSS Missions Feasible?[/msg])

Nines9 wrote:It's easy to tell with an alert box, but different people use different syntax and the more in-depth the challenges get, the longer the answers get. Then you need more validation of answers. We've seen what happened with Extbasic.7 when you can have more than one possible solution to a mission. People get pissy over it and end up disliking the challenge. :/


Its not having multiple possible correct answers that annoys people, its the fact that only ONE of these possible answers is accepted. Like you say more validation of the answers is needed but is that such a bad thing? It's not a huge amount of extra work to stick a switch statement in and lowercase the answer before comparison cos arbitrary case sensitivity doesnt help.

Code: Select all
$pass = false;
switch (strtolower($the_answer)){
    case '1st possible answer':
    case '2nd possible answer':
    case '3rd possible answer':
    // etc...
        $pass = true;
        break;
}
Mindzai
New User
New User
 
Posts: 7
Joined: Tue Jun 17, 2008 4:06 pm
Blog: View Blog (0)


Re: XSS Missions Feasible?

Post by Karec on Fri Jul 04, 2008 6:16 pm
([msg=6583]see Re: XSS Missions Feasible?[/msg])

Eh even with the difficulty in writing them, XSS is so widespread these days I do feel there should at least be one mission that can address this topic.

As for dealing with multiple answers, have at least two people who know XSS very well try to brainstorm all the possible answers and make it a multiple answer problem.
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning."
-Rick Cook, The Wizardry Compiled
Karec
Poster
Poster
 
Posts: 127
Joined: Sun Apr 13, 2008 2:39 pm
Blog: View Blog (0)


Re: XSS Missions Feasible?

Post by Nines on Sat Jul 05, 2008 4:50 am
([msg=6609]see Re: XSS Missions Feasible?[/msg])

Karec wrote:Eh even with the difficulty in writing them, XSS is so widespread these days I do feel there should at least be one mission that can address this topic.

As for dealing with multiple answers, have at least two people who know XSS very well try to brainstorm all the possible answers and make it a multiple answer problem.


Realistic 9, Realistic 11, Extbasic 7 deal with XSS.. I suppose you could have more extbasic missions based around XSS, like filter evasion etc.. I could see that working.
User avatar
Nines
Poster
Poster
 
Posts: 191
Joined: Sun Apr 13, 2008 5:57 pm
Blog: View Blog (0)


Re: XSS Missions Feasible?

Post by mosshack on Sat Jul 05, 2008 5:13 am
([msg=6611]see Re: XSS Missions Feasible?[/msg])

I dont think XXS Mission as such in there own catorgory, i would like to see more XXS within other missions. Like in realistic missions have a hidden vulnerability and if the user finds that then they can use that to there advantage.
I think this would be a good idea, also it would make challenges more a challenge
mosshack
New User
New User
 
Posts: 18
Joined: Wed Apr 30, 2008 4:59 pm
Blog: View Blog (0)


Re: XSS Missions Feasible?

Post by thedotmaster on Sat Jul 05, 2008 6:57 am
([msg=6615]see Re: XSS Missions Feasible?[/msg])

mosshack wrote:I dont think XXS Mission as such in there own catorgory, i would like to see more XXS within other missions. Like in realistic missions have a hidden vulnerability and if the user finds that then they can use that to there advantage.
I think this would be a good idea, also it would make challenges more a challenge


Yeah I agree with this actually. I'm not too sure how you would use an XSS to your advantage though, any ideas?
Image
User avatar
thedotmaster
Contributor
Contributor
 
Posts: 984
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)


Re: XSS Missions Feasible?

Post by mosshack on Sat Jul 05, 2008 7:24 am
([msg=6616]see Re: XSS Missions Feasible?[/msg])

Use it to your advantage e.g. You can use it to find a hidden password file and so on. Just an idea.
mosshack
New User
New User
 
Posts: 18
Joined: Wed Apr 30, 2008 4:59 pm
Blog: View Blog (0)


Next

Return to Comments & Suggestions

Who is online

Users browsing this forum: No registered users and 0 guests