Cross-site scripting.

From: Berend-Jan Wever (skylined@edup.tudelft.nl)
Date: 03/23/02

Previous message: Fyodor: "Re: Identifying Kernel 2.4.x based Linux machines using UDP"
Next in thread: zeno: "Re: Cross-site scripting."
Reply: zeno: "Re: Cross-site scripting."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Berend-Jan Wever" <skylined@edup.tudelft.nl>
To: "bugtraq" <bugtraq@securityfocus.com>
Date: Sat, 23 Mar 2002 21:38:30 +0100

This messages assumes basic knowledge about Cross-site scripting (CSS) and
it's implications. For a quick summary of its implications see the bottom of
this message first.

I have recently done a "CSS marathon" and found _allmost_ every page I tried
vulnerable within an half an hour. These include microsoft, altavista,
google, cnet, time, ebay, amazon, netscape, yahoo and redhat. This list
probably could have gone on forever if I had taken the time. I have
contacted every one of them about this (except for yahoo and ebay because I
was unable to find a contact emailaddress or feedback form; if it takes
longer to find the contact info than to find the CSS, f#ck 'em) I am now
awaiting their respondses.

But the ease with which I CSS-ed the hell out of everyone of them got me
thinking. I'm not going to be the "beta-tester" slave for the whole
internet. The sites I contacted will probably just patch the one hole I
found so I will probably be able to find others and what about all the sites
I haven't tried yet? Maybe there should be a "general advisory" going out to
every webdesigner out there that CSS is as dangerous as it is common.
Feedback on the usefullness (or futility) of a "general CSS advisory" would
be appreciated.

Berend-Jan Wever

--------------------------------------------
CSS implications

By opening a specially crafted URL in the targetted user's web browser (for
instance when he visits your website or reads an email you sent him).
- read anything that user can read from the CSS-vulnerable site.
(addressbook, personal info, etc...)
- do whatever that user can do on the CSS-vulnerable site (send messages,
order stuff, change personal settings and passwords)
- spoof the contents of the CSS-vulnerable site (make somebody think he is
looking at www.foo.com while the contents of the page actually comes from
your site www.bar.com)

Previous message: Fyodor: "Re: Identifying Kernel 2.4.x based Linux machines using UDP"
Next in thread: zeno: "Re: Cross-site scripting."
Reply: zeno: "Re: Cross-site scripting."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: CSS implication
... Here are some of the things my security team has observed with relation to cross-site scripting: ... * as you said, persistent cookie theft ... implications of a CSS attack. ... I've thought about the implications ...
(Vuln-Dev)
Re: CSS implication
... I'm not sure but I think that SSI can be used with CSS. ... >you're able to execute code on the web. ... I've thought about the implications ... MSN Photos est le moyen le plus simple de partager, ...
(Vuln-Dev)