[Full-Disclosure] Re: A technique to mitigate cookie-stealing XSS attacks

From: Ulf Harnhammar (ulfh@update.uu.se)
Date: 11/09/02


From: ulfh@update.uu.se (Ulf Harnhammar)
Date: Sat, 9 Nov 2002 07:15:26 +0100 (CET)

On Thu, 7 Nov 2002, Nick Simicich wrote:

> If I understand the XSS vulnerability correctly, it is all based on the
> ability of javascript to access cookies through the document.cookie
> property.

No, it's not just about that. You can also include scripts that will
perform some action on your behalf, by redirecting to a script that does
something (i e, an XSS bug in a web-based Usenet client might open up the
possibility for an attacker to post to Usenet under your name).

This is done by simply including HTML code like:

<script>self.location.href="/script.cgi?param1=the&param2=blue&param3=mask"
</script>

or even:

<meta http-equiv="Refresh" content="0; URL=/script.cgi?param1=the&param2=
blue&param3=mask">

(The latter version doesn't even use JavaScript.)

To sum this all up, stating that XSS is all about JavaScript being able to
access cookies to steal someone's password is an oversimplification.

// Ulf Harnhammar
   VSU Security
   ulfh@update.uu.se



Relevant Pages

  • Re: Flash Loons
    ... The XSS risk is more about whether an arbitrary person can insert ... My reasons for turning off Javascript unless a particular site needs ... than optional enhancements or minor features. ... XSS attacks, despite the name, need not always use scripting. ...
    (comp.infosystems.www.authoring.html)
  • e107 web portal user.php XSS (Cross Site Scripting)
    ... e107 web portal user.php xss ... allows javascript or html content in user.php. ... This may lead to cookie information being ...
    (Bugtraq)
  • Re: [Full-disclosure] Attacking the local LAN via XSS
    ... page that is controlled by the attacker, ... border router vulnerable to XSS ... do you need javascript in all cases? ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ...
    (Full-Disclosure)
  • Re: XSS Questions
    ... > exploit XSS if the above scenario occurs? ... the javascript send you their document.cookie. ... XSS is a lot of fun:-P. ...
    (Pen-Test)
  • Re: Does Macintosh read uppercase?
    ... through any browser. ... "Jim Carlock" wrote: ... > Javascript is supposed to be case-sensitive on all platforms, ... >>>> Does Macintosh read upper and lower case scripts? ...
    (microsoft.public.frontpage.programming)