Re: strange requests sent to my WWW

---

• From: Scott W Gifford <gifford@xxxxxxxxx>
• Date: Thu, 13 Apr 2006 11:43:24 -0400

---

Sebastian Gottschalk <seppi@xxxxxxxxx> writes:

Scott W Gifford wrote:

piotr_sobolewski@xxxxxxxxxxxxxxx writes:

Scott W Gifford wrote:

[...]

On another note, though your script is safe from that attack, you may
be vulnerable to a less severe cross-site scripting attack, and should
really escape any HTML that happens to be in $goto.

Why? Any HTML code somebody puts in $goto will be interpreted on the local
machine of the guy who sent the request.

Right, that's a cross-site scripting attack:

http://www.cgisecurity.com/articles/xss-faq.shtml

Did you miss the HTML Meta Redirect? The attackers code will not show up
in the context of the attacked website.

Hi Sebastian,

Imagine that $goto is set to:

"><script>alert('Gotcha!')</script>

The page is then this:

<META HTTP-EQUIV="Refresh" CONTENT="0; URL=""><script>alert('Gotcha!')</script>">

My copy of FireFox 1.5 happily executes this JavaScript code. Over
and over again, in fact.

Breaking out of contexts where at first glance it seems safe to put
arbitrary HTML is the essence of any cross-site scripting attack.
It's always safer to escape any user-controlled data before including
it on a Web page, and there's almost never a good reason not to.

In my experience, it's usually faster to just escape the HTML than to
try and convince myself whether or not there's a real possibility of
an attack.

----Scott.
.

---

• Follow-Ups:
  • Re: strange requests sent to my WWW
    • From: Sebastian Gottschalk

• References:
  • strange requests sent to my WWW
    • From: piotr_sobolewski
  • Re: strange requests sent to my WWW
    • From: Scott W Gifford
  • Re: strange requests sent to my WWW
    • From: piotr_sobolewski
  • Re: strange requests sent to my WWW
    • From: Scott W Gifford
  • Re: strange requests sent to my WWW
    • From: Sebastian Gottschalk

• Prev by Date: Re: strange requests sent to my WWW
• Next by Date: Re: strange requests sent to my WWW
• Previous by thread: Re: strange requests sent to my WWW
• Next by thread: Re: strange requests sent to my WWW
• Index(es):
  • Date
  • Thread

---

Relevant Pages [NT] BadBlue 302 Status Message XSS ... BadBlue is susceptible to a cross-site scripting attack in its HTTP ... Obviously, if you pass in HTML markup, it continues into the reply ... This vulnerability cannot be exploited on Internet Explorer, ... HTML, as the entity is downloaded, displayed, and then the redirect ... (Securiteam) Re: strange requests sent to my WWW ... Any HTML code somebody puts in $goto will be interpreted on the local ... that's a cross-site scripting attack: ... or leverage any special trust somebody has in ... (comp.security.misc) Re: strange requests sent to my WWW ... Any HTML code somebody puts in $goto will be interpreted on the local ... that's a cross-site scripting attack: ... (comp.security.misc)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.misc  > 2006-04