In "OMG - break"-time I wrote one note for You... ;)
Here it is:
Hello, once upon a time...
Just kiddin.. not this way. ;]
Ok, so as I wrote few posts ago, there is a funny thing I am doing last weeks.
Various crazy scenario of attacks showed me various things.
From information disclosure bugs to "not presented in public"
(some of them I posted here, some not like XSS in PMA3.4.5 or some sqli-bugs).
When I was searching possibility to 'store codes in applications',
I was looking for 'whats next' or 'how to use it "for real"' ;).
So... "we found this XSS for logged users only". What's next, what's big deal, what's the difference...? :)
Hmmmm, deface-rence? own3d-rence? what-3lse-rence? ;>
"Why of why" this stored code in <add_Your's_CMS_here;)> application "will be" used like this?
Because, attacker who wants Your files/box/etc, will attack You via any possible way.
So, please understand it: even only one simple "not critical" hole can make You owned.
1. attacker will create 'new account'. (let's say, there is a bug in comments like this )
2. now attacker is logged in. so if xss is in this part of webapp, he can put his code here.
3. Added code is making whole part of other (nexts) attacks,
Ok. Now second thing:
if Your CMS used in internal (companys) networks, Your users are vulnerable too:
1. attacks-to-person - for example secretary, reception, marketing offices (in our company), etc
2. spam vulnerabilities
So, let's go deeper. :)
"How I owned 27 MLN box'xs?" In my imagination only. :)
Reason is simple: I do not break the law.
But there is one thing You should be sure:
someone somewhere is searching for new vulnerabilities in lates products.
Webapps, closed-source soft, whatever.
Now, simple XSS for "normal user" can be used for this:
You found bug in some latest $cms?
Type this version in www.google.com. Got the idea?
So type this version (where vuln You found) @Google + "Powered.by"... ;]
Got it now? ;)
Answer You will see in millions.
In a short way: if Your webapp/CMS can be exploited by XSS, then there is no
problem to build botnet (site:powered.by... and write python code to store-XSS and 'search for next target' should tell You the rest).
And that's the whole story. ;)
For testing security, ask here.