Re: XSS Question



inline
"Scott Ocamb" <socamb@xxxxxxxxxxx> wrote in message
news:uMJ4687WJHA.3808@xxxxxxxxxxxxxxxxxxxxxxx
thanks for the document link.

You're welcome.

Please validate my understanding:

If I can.

GoodGuy visits Vunerable.com and accesses TopSecret.html.

With you so far.

this page collects tons of personal and important information.

This is normal operation when you trust a site with such information.
You also trust that site to place cookies on your machine in a way
that (mostly) only that site is supposed to be able to access them.

It also has a XSS loop hole that allows GoodGuys personal information
to be revrieved via a cookie.

The key thing with an XSS vulnerability is that the bad guy is able
to put an untrusted script in a place where you will take it as a
trusted script. Running from a site that is supposed to have access
to said cookies is kind of a bonus for bad guy.

GoodGuy is oblivous and continues to use the site.

Yes, and the site itself continues to function as normal.

BadGuy visits Vunerable.com and accesses TopSecret.html.

Perhaps not, bad guy only needs to place his script on the vulnerable
server. What that script does is ancillary to the XSS vulnerability.

Aha he says and crafts a site BadGuy.com to look just like TopSecret.html

He could do that, and have his script send you to that site.

All badguy needs to do is fool GoodGuy and others to visit BadGuy.com
BadGuy can get tons of personal information.

Not fool them, just send them - the script could send visitors elsewhere.

BadGuy can send GoodGuy and others emails to fool them to visit
badguy.com. (I get This)

Not fool them...fooling someone to visit a site is beyond (or beneath)
the scope of XSS vulnerabilities. Social Engineering is another kind
of exploit in itself.

XSS isn't needed if you could just trick the user into divulging the info.

But there are (or should be) restrictions on what could be scripted in
an e-mail (some still feel e-mail shouldn't even be HTML let alone
support scripting). Scripting in e-mail should fall under untrusted but
as the XSS vector allows ingress of untrusted scripting into a trusted
scenario it is more powerful.

In the past (with IE/OE) I could use a "refresh" to make the receiving
client (OE) visit the website of my choice without the user having to
take any action (aside from having the preview pane enabled). This
has been fixed (hopefully) in recent versions, but such a thing can still
be done through XSS because your web client "trusts" the content
on the website.

BadGuy can post blog entries to fool GoodGuy and others to visit
babguy.com (i get this too).

XSS is not needed if you just want to fool users into doing something
unwise. In fact, it takes great effort to stop them from doing unwise
things - like circumventing LUA at the drop of a hat (another subject).

what i do not see is how badguy can somehow fool goodguy into arriving at
badguy.com durring one session of operation and steal private information.
BadGuy does not know who GoodGuy is.

None of this really has anything to do with XSS - there are examples in the
URL of what could be done with XSS - but the key feature is the running
of the script. If the script sends you to a bogus look-alike site to the one
you believe you are entering your information into - or it uses the fact
that
your onboard cookies for that legitimate site are available to be sent to
bad guy - it is still the script ingress method that is XSS.

It seems to me the GoodGuy can only arrive at badguy via an indirect
method like email or blog.
Is this correct?

Bad guy uses vulnerable.com's XSS vulnerability to place a bad script to be
executed on the client machine when someone visits vulnerable.com.

Bad guy's untrusted script -->vulnerable.com-->trusted script for Good guy's
machine.

Cross Site Scripting

any help is appreciated.

if not, please explain how goodguy can be directed to badguy.com durring
normal operation of Vunerable.com.

A reference to badguy.com could be scripted. Badguy.com is not needed
for XSS.

"FromTheRafters" <erratic@xxxxxxxxxxxxxxxxx> wrote in message
news:%23MbMdWvWJHA.256@xxxxxxxxxxxxxxxxxxxxxxx
http://www.cis.upenn.edu/~cis551/XSS.pdf

"Scott Ocamb" <socamb@xxxxxxxxxxx> wrote in message
news:%23GozV0tWJHA.5108@xxxxxxxxxxxxxxxxxxxxxxx
I would like some help in understanding XSS security vunerabilities.

i can see where a "hacker" could cause implementation vunerable to XSS
attacks inject java script to the page and cause weird stuff to happen
on his machine.

I can also see how a hacker could notice some vurerable code, and mock
up a page that looks legitimate, and send it to someone and cause them
to pass on private information to the hacker.

What i cannot understand is how a hacker could gather information from
another users session . and get private information. Is this possible
and if so how.

i have a customers site that has vunerable pages but we need to
prioritze what we fix and want to focus of pages where private
information is in play.

or i could have missed something else..

any help would be appreciated.









.



Relevant Pages

  • [NEWS] XSS Vulnerability in Major Websites (Hotmail, Yahoo and Excite)
    ... *.msn.com the cookie for the email service can be captured. ... XSS is in the 'article.asp' script on 'www.accesshollywood.msn.com'. ... The yahoo mail service uses a *.yahoo.com server, ...
    (Securiteam)
  • Re: [Full-disclosure] Arin.net XSS
    ... It works in IE just fine and probably some other browsers. ... This prevents the script from being interpreted properly via the Address bar. ... Subject: [Full-disclosure] Arin.net XSS ... I think that XSS in many instances is a serious issues. ...
    (Full-Disclosure)
  • Re: XSS And Headers...
    ... Blocking Script Injection, LogFile Denial of Service" ... It's only a problem where the admin views logs in html. ... infact anywhere you don't trust and most places you ... then, imo, it's much better to worry about XSS when you're writing the ...
    (Vuln-Dev)
  • RE: Cross Site Scripting Vulnerabilities - XSS
    ... internal mechanism to prevent remote viewing of the Internet History. ... Cross Site Scripting Vulnerabilities - XSS ... successful execution of script in each instance might be similar, ... security measures that prevent XSS. ...
    (Pen-Test)
  • [Full-disclosure] Drupal Admin Password Reset via XSS
    ... There have been quite a few Cross Site Scripting (XSS) vulnerabilities ... the Drupal account page doesn't require users to enter ... This flaw, combined with a well crafted XSS attack, could be ... I have provided an example of such a script below. ...
    (Full-Disclosure)