Re: [Full-Disclosure] logically stopping xss

Valdis.Kletnieks_at_vt.edu
Date: 07/23/03

  • Next message: Justin Shin: "RE: [Full-Disclosure] logically stopping xss" 
    To: Justin Shin <zorkshin@tampabay.rr.com>
Date: Wed, 23 Jul 2003 00:06:24 -0400

    On Tue, 22 Jul 2003 23:10:12 EDT, Justin Shin said:

    > see theres a gazillion xss "exploits" just sitting out there that no-one
    > knows of, and no admin can keep up with all the new "exploits" for xss. I am
    > just looking for suggestions, that's all. I swear, when I said was stupid, I
    > didn't mean I was THAT stupid :)

    Oh.. *suggestions*.. That's different. ;)

    If you're looking for XSS, start by finding a form that the user fills in
    themselves. Then see if that data can be found on some OTHER page. The only
    two parts missing then are (a) improper filtering before redisplay and (b)
    getting a victim to visit the other page. ;)

    Unlike virus/malware detectors that can look for things like nop sleds, there's
    no really general way to filter for XSS, since the whole trick is to pass
    *legal* structures to the victim and have them interpreted in incorrect
    contexts. Quite often, the attack is a "recombinant DNA" type, where you're
    providing fragments in several pieces all of which *looked* legal separately
    (like one MUA that had an issue displaying a *series* of messages, each of
    which had a small chunk of javascript in the Subject: line... Ouch ;)

    You might want to get hold of a copy of Hofstaeder's "Godel Escher Bach" - once
    you read and understand the chapter on quining, knowing what signs of an XSS
    problem to look for will be a lot easier. The rest of the book is a worthwhile
    read too - you'll learn a lot about exactly why scanners like SNORT can't be
    100% right, and a lot less painfully than the Theory of Computation classwork
    version. ;)

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Justin Shin: "RE: [Full-Disclosure] logically stopping xss"

    Relevant Pages

    • Re: Be afraid. Be very afraid
      ... But when I questioned whether I as a putative perp should receive ... That was mocking your stupid point. ... What *RIGHT* has a burglar to be in someone's home??? ... harboured by the victim. ...
      (uk.legal)
    • Re: Be afraid. Be very afraid
      ... But when I questioned whether I as a putative perp should receive ... That was mocking your stupid point. ... believe a perp has less rights than a victim, ... As I have commented on the fallaciousness of some of your other posts, ...
      (uk.legal)
    • Re: Do you feel sorry?
      ... People like that are stupid. ... Being poor has nothing to do with money, ... not a victim, ...maybe a guy that borrows money and does not pay it back, ... I told them where to go to get their credit ...
      (alt.vacation.las-vegas)
    • Re: Do you feel sorry?
      ... mental cases andI pray toGod that they don't have offspring, ...stupid ... people are responsible for their lives and their decisions. ... not a victim, ...maybe a guy that borrows money and does not pay it back, ... I told them where to go to get their credit ...
      (alt.vacation.las-vegas)