Re: CSS, CSS & let me give you some more CSS

From: Slow2Show (sl2sho@yahoo.com)
Date: 01/30/02


Date: 29 Jan 2002 23:24:28 -0000
From: Slow2Show <sl2sho@yahoo.com>
To: vuln-dev@securityfocus.com


('binary' encoding is not supported, stored as-is)

In-Reply-To: <20020129113027.B10678@kavi.com>

>Ok, so I am a little confused. My understanding of
>CSS is that an attacker is trying to reach a victim
>through a 3rd party website. For instance, I post a
>message to a message board that contains
>javascript, and it runs on a victim's machine, who
>viewed that message.

Yes this is one form of webApp attack you are using
the CSS attack vector to return user injected
script/HTML/PHP back to a page that is viewable by
other website visitors...this is one of the more
damaging attacks...but isn't all that CSS is limited to

>The reason I am confused is that, all of your
>supposed CSS vulns are directed at search
>scripts. Do the queries you are entering get stored
>on the website, for later viewing by OTHER users?
>It doesn't seem likely. The only person you could
>exploit would be, well, yourself.

Search engine inputs are notorious for not sanitizing
user input..I believe that is why phine chose to focus
them...and yes you do bring up a good point, the
website queries could be stored on a website...to be
viewed later by someone interested in seeing what
people are searching for....company user loads up
the admin query page...user injected script is
executed, and that website's cookie has now been
processed by the attackers "cookie collection PHP
script(CCPS) on a remote server.

How could this affect John Q. Surfer?
well lets say I send him a link with a partial Hex
converted URL ex:
http://website.com/someform?input=%73%75%70

This could be used in a Social Engineering attack to
trick another user to visit this link and have their
cookie stolen by the attacker's CCPS...or the attacker
could use javascript to manipulate the DOM and act
on the users part to do various actions...lets say post
a message automatically on a forum.

>Maybe I have completely missed the boat on this
>one, and if so, please explain how I could attack
>someone ELSE with these...
No you just didn't see the whole boat through the
fog...cheezy I know ;-)

>Now if you showed me that I could slip SQL into one
>of these search boxes, then I would call that a
>vulnerability...
that is a whole other story....

reference linx:
http://www.cert.org/tech_tips/malicious_code_mitigati
on.html
http://www.owasp.org/
http://httpd.apache.org/info/css-security/

-Slow2Show-
University of Florida

Disclaimer: I'm just a stupid college kid!