RE: XSS LAB DEMO IDEAS

From: Dawes, Rogan (ZA - Johannesburg) (rdawes@deloitte.co.za)
Date: 01/07/03

  • Next message: Brewis, Mark: "RE: common criteria draft"
    From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes@deloitte.co.za>
    To: 'Jeremy Junginger' <jj@act.com>, pen-test <pen-test@securityfocus.com>
    Date: Tue, 7 Jan 2003 10:32:28 +0200 
    
    

    As an example of what one can do with XSS, I was reviewing a banking site
    which had the following sequence:

    User registers, providing their account details, locations, etc.
    The registration is reviewed by a supervisor (different privilege levels),
    who contacts the user telephonically to authenticate them, before activating
    the account.
    The user then logs on, and accesses their accounts.

    I was able to insert enough scripting into the personal data to
    automatically activate the account as soon as it was viewed, without the
    supervisor needing to do it manually. In fact, I was able to become a
    supervisor myself, and add any account I liked. Fortunately I caught this
    one in the testing phase :-)

    That sort of thing can make quite a powerful demonstration of why input
    filtering (more correctly, OUTPUT filtering) is so important.

    Rogan

    -----Original Message-----
    From: Jeremy Junginger [mailto:jj@act.com]
    Sent: 06 January 2003 07:01 PM
    To: pen-test
    Subject: XSS LAB DEMO IDEAS

    After reading the papers by iDefense and the paper at
    http://www.technicalinfo.net/papers/CSS.html , I would like to put a
    working example together to familiarize our web developers with XSS
    vulnerabilities and their impact on the web site (and business). I
    would like to poll the group for interesting ways to demonstrate these
    vulnerabilities in a lab environment. Thanks for taking the time to
    give your input.

    -Jeremy

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/



    Relevant Pages

    • Re: Cross Site Scripting Vulnerabilities - XSS
      ... > I am kinda new to XSS, but am intrigued by how it works. ... >> these vulnerabilities that they are happy to ... >> This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
      (Pen-Test)
    • Re: Cross Site Scripting Vulnerabilities - XSS
      ... Cross Site Scripting Vulnerabilities - XSS ... >>> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ...
      (Pen-Test)
    • RE: Cross Site Scripting Vulnerabilities - XSS
      ... Cross Site Scripting Vulnerabilities - XSS ... >> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ...
      (Pen-Test)
    • Re: Cross Site Scripting Vulnerabilities - XSS
      ... Cross Site Scripting Vulnerabilities - XSS ... >> This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
      (Pen-Test)
    • RE: Password HTML form bruteforce
      ... print Positive Authentication with Login: ACCOUNT, ... >> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ... automatically alerts you to the latest security vulnerabilities please see: ...
      (Pen-Test)