Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Abusing SIP for Cross-Site Scripting? Most definitely!
Juxhin Dyrmishi Brigjaj - Enable SecurityPosted 4 Years Ago- SIP (Session Initiation protocol) is commonly used for real time communication, such as instant messaging and voice communication. The product under test is VOIP monitor, which is a listening software for VOIP messages.
- Where ever there is user input being handled or controlled, XSS may be possible! On the main VOIP listener message, there is an XSS bug in the
User-Agentheader. By sending VOIP messages with an XSS payload in theUser-Agentheader, the administrative account can be forced to perform arbitrary actions. - The author takes this from XSS to control over the application. Using custom SQL queries (which for some reason is allowed from the admin-side), another administrative user can be created on the application, a keylogger can be added... With XSS on the admin page, it is essentially game over.
- Where ever there is user input being displayed, XSS may be possible! Sanitizing all inputs is crucial from preventing this types of bugs.
