Re: Cross site scripting explained

From: Slow2Show (sl2sho@yahoo.com)
Date: 12/16/02

  • Next message: Andrew Thomas: "Format string and other vulnerabilities on Win32"
    Date: 16 Dec 2002 20:10:01 -0000
    From: Slow2Show <sl2sho@yahoo.com>
    To: vuln-dev@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <195f0718f5f1.18f5f1195f07@icomcast.net>

    http://www.idefense.com/idpapers/XSS.pdf
    http://www.cgisecurity.net/articles/xss-faq.shtml

    Those papers are by Endler and Zeno...they should get
    you informed. If you donít feel like reading, I'll try
    to sum up the basic concepts for you and everybody else.

    In general there are two types of XSS attacks,
    transient and permanent.

    Lets say you have an E-commerce site named example.com.
    Example.com uses their own type of session cookie to
    maintain state when a customer makes transactions. An
    example of a transient attack would be if I knew bob
    currently has the example.com cookie on his system. If
    I sent an IM to bob with a link that was specially
    crafted w/ an XSS attack payload that sent bobís
    example.com cookie to a cookie collecting script at
    bobs-evil-wife.com. So now bobís wife can use his
    cookie to session hijack his example.com account and do
    what she pleases on bobís account.

    Ok now lets say I have a message board, I want users to
    make colorful posts so I allow HTML to be put into
    posts, but I unfortunately I allowed everything
    including javascript. An Evil user comes along and
    inserts script into a post that when loaded,
    automatically posts "I am a luser" to every message
    board on the site, or it could do anything else the
    evil user wants to do on behalf of all the visitors
    that loaded the site up and were members of the board.

    Here are examples from this month of XSS attacks:
    http://online.securityfocus.com/archive/1/303226/2002-12-06/2002-12-12/0
    http://online.securityfocus.com/archive/1/303542/2002-12-13/2002-12-19/0
    http://online.securityfocus.com/archive/1/303545/2002-12-13/2002-12-19/0

    Sadly this type of hole is extremly easy to find in any
     non-trival website...I've found hundreds all over
    major sites on the web. The developers just don't care
    much about them though because the second part of the
    attack, the user interaction, is difficult to
    accomplish. There has been much debate regarding if
    these types of vulns should be allowed on bugtraq. IMHO
    the disclosure of these types of attacks should be
    "moved" to webappsec list.

    Cheers,

    -Slow2Show- <-- graduating Friday woo hoo!!
    University of Florida

    >Can anyone explain to me or point me to a paper that
    explains exactly
    >what cross site scripting is, and how it could be
    useful/cause
    >problems for someone? Thanks.
    >
    >Mike