Re: CSS, CSS & let me give you some more CSS

From: Sverre H. Huseby (shh@thathost.com)
Date: 01/31/02


Date: Thu, 31 Jan 2002 23:54:27 +0100
From: "Sverre H. Huseby" <shh@thathost.com>
To: Joe Harrison <list-general@ntlworld.com>


[Joe Harrison]

| I can't help feel the importance of these cross-site-scripting attacks is
| over-emphasised.
|
| 1. You can grab a session cookie which can give you a hijacked login.
| Obviously not good but also not that easy to implement as it needs quite
| precise timing.

Not necessarily. Here are a couple of examples where the timing is
not important:

  * The site in question lets a user store things in a database, that
    will later be sent to other, logged in users (eg. a discussion
    forum). If output is not correctly "washed", the user will
    receive the script after logging in, so the attacker need not know
    when the user is logged in.

  * Social engineering 1: An URL with "Check this cool [something] at
    [target site]" in a mail may do. If the URL contains a script,
    and the target site 1) requires login and 2) routes the victim to
    the original URL after a successful login, the script will be run
    after logging in. No timing needed.

  * Social engineering 2: A mail with forged sender stating that "we
    suspect that we have a [security/database/whatever] problem.
    Please log in at our site, and go to the following URL to verify
    that everything is OK." The URL does, of course, contain a
    malicious script. No timing needed.

| Also the rightful session owner (even if unsophisticated user) is
| immediately going to notice something funny is happening when his
| or her genuine session blows away.

Not if the script is carefully crafted. The script may redirect the
user to the attacker's site, bringing the cookie with it. The
attacker's server picks the cookie from the request and stores it in a
database or something. The only output from the attacker's site is a
new browser redirect that brings the user back to the original site.

I have tried it: No browser flickery or anything that will be noticed
by most users.

Sverre.

-- 
shh@thathost.com			Play my free Nerd Quiz at
http://shh.thathost.com/		http://nerdquiz.thathost.com/



Relevant Pages

  • Re: session id
    ... > I'm doing a web site with a log ... > so how do session IDs work to get ... if you call session_startat the beginning of every script. ... either in the URL or by a cookie in the user's browser. ...
    (alt.php)
  • Re: Why wont my script mail in explorer, but ok in Firefox?
    ... script which takes post values from a form and sends them to a DB. ... It appears that my session variables are ok. ... One could be a possible difference in cookie handling between the two browsers, ...
    (comp.lang.php)
  • Re: multiple sessions
    ... > that the script works on the server of the ISP, ... I think you better named your posting: 'Broken Session' instead of multiple ... Goto you PHP page ... CHeck if it sets a cookie with a PHPSESSIONID=blabla ...
    (comp.lang.php)
  • Re: PHP & Cookies order form
    ... > 1) Variablepassed from HTML page to script. ... > 3) If no cookie, script creates one, Variablethe value. ... If you do need to keep the data for several pages, then using PHP ... Sessions use a cookie to store a session key ...
    (comp.lang.php)
  • IE dot bug - Sandblad advisory #7
    ... Initially reported to Microsoft about the dot bug vulnerability. ... Microsoft released patch: ... Files in the cookie directory are not treated as beeing in the ... Remote webpage can script in local zone" ...
    (Bugtraq)