This post deals with a project I developed : XSS Callback.

This is not going to be (at least, I hope) a boring post about XSS exploitation. No.

Well, one scenario of using XSS would be to steal victim’s cookie and access the page through his session. This technique is called Session Hijacking. Ok fair enough.

However, some issues are present using this technique, let’s take an example :

• You target a website
• Unfortunately, it’s too late (or too early depending on your situation) and you go to sleep.
• You wake up in the night and there are loads of victims’s sessions. Great !

The only problem : the user might have logged out of the platform or there might be a timeout on the session.

This first post is related with one of my project : CSRFT. CSRFT is a Cross Site Request Forgery (CSRF) vulnerabilities Toolkit.

My toolkit allows you to exploit either GET and POST HTTP Requests. During some testings, I had issues with some specific forms.

Let’s take an example of such form :

<form action="http://website.com/blog/" id="form" method="get">
<label class="assistive-text" for="s">Search</label>
<input class="field" id="s" name="s" placeholder="Search" type="text" value="Search Value"/>
<input class="submit" id="searchsubmit" name="submit" type="submit" value="Search"/>
</form>

The code injected on the page to submit the form was like that :

Starting my own blog has been something I really wanted to do. I’ll add post related to my different projects but also on Web security.

Here are my different motivations :

1. Provide a portfolio of my different projects.

2. Explain some problems I had and provide the solution

3. Talk about some geek stuffs. Let’s see :)

Hope you’ll have fun to read me. Cheers and see you soon.