RE: Can you exploit this XSS?
From: Parity (parity_at_ghettohackers.net)
Date: 11/23/03
- Previous message: Sverre H. Huseby: "Re: Can you exploit this XSS?"
- In reply to: Scovetta, Michael V: "RE: Can you exploit this XSS?"
- Next in thread: dd: "Re: Can you exploit this XSS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Scovetta, Michael V'" <Michael.Scovetta@ca.com>, "'Paul Johnston'" <paul@westpoint.ltd.uk>, <vuln-dev@securityfocus.com>, <rich@westpoint.ltd.uk> Date: Sun, 23 Nov 2003 12:57:08 -0800
> As I understand XSS, it is only exploitable when user A enters data
> that user B views. XSS is moot when you can only do it to yourself
Actually, that's incorrect...
Provided that I, as an attacker, can induce someone to follow a
hyperlink, I can exploit XSS bugs like this. For instance, if "XXX" is
a querystring parameter, all I have to do is get my victim to follow a
link like this:
http://www.vulnerable.com/page?exploitvar=foo%22%3e%%203cscript%3ealert(
'0wned!')%3c/script%3e%20%3c%bogustag%20foo%3d%22bar
and then the following will be displayed to the victim:
<input type="hidden" name="tageturl" value="foo">
<script>alert('0wned!')</script> <bogustag foo="bar">
Sure, there's a minor amount of social engineering involved - I
need you to follow a link, but there's a lot of ways to make that
happen. Especially when the link points to an app which the victim
trusts to behave itself.
To Paul's original question, I don't think this bug is
exploitable because the app encodes the attacker-supplied " char, which
prevents the attacker's input from terminating the quoted attribute
value context. By confining the attacker's input to that context,
whatever the attacker supplies will be interpreted as a literal by the
victim's browser.
pty
-----Original Message-----
From: Scovetta, Michael V [mailto:Michael.Scovetta@ca.com]
Sent: Wednesday, November 19, 2003 8:46 AM
To: Paul Johnston; vuln-dev@securityfocus.com; rich@westpoint.ltd.uk
Subject: RE: Can you exploit this XSS?
As I understand XSS, it is only exploitable when user A enters data that
user B views. XSS is moot when you can only do it to yourself, so
screens
like that (a redirect), is just a convenience for the user. It should
still be properly clensed, but I don't see this being a true case of
XSS,
more like JavaScript Injection.
Michael Scovetta
Application Developer
Computer Associates International, Inc.
-----Original Message-----
From: Paul Johnston [mailto:paul@westpoint.ltd.uk]
Sent: Wednesday, November 19, 2003 7:51 AM
To: vuln-dev@securityfocus.com; rich@westpoint.ltd.uk
Subject: Can you exploit this XSS?
Hi,
While auditing a web app, I've found the site redirects not found pages
to a login screen. This contains an element like:
<input type="hidden" name="tageturl" value="XXX">
Now, the XXX bit is controlled by the user, and it seems the only
characters escaped are " and & - i.e.
<script>alert(document.cookie)</script> gets through (hence my tool
alerted me).
Can this be exploited for XSS? I can't see how to immediately, but it
seems possible.
Paul
-- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul@westpoint.ltd.uk web: www.westpoint.ltd.uk
- Previous message: Sverre H. Huseby: "Re: Can you exploit this XSS?"
- In reply to: Scovetta, Michael V: "RE: Can you exploit this XSS?"
- Next in thread: dd: "Re: Can you exploit this XSS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
