Re: XSS Question

"Scott Ocamb" <socamb@xxxxxxxxxxx> wrote in message
thanks for the document link.

You're welcome.

Please validate my understanding:

If I can.

GoodGuy visits and accesses TopSecret.html.

With you so far.

this page collects tons of personal and important information.

This is normal operation when you trust a site with such information.
You also trust that site to place cookies on your machine in a way
that (mostly) only that site is supposed to be able to access them.

It also has a XSS loop hole that allows GoodGuys personal information
to be revrieved via a cookie.

The key thing with an XSS vulnerability is that the bad guy is able
to put an untrusted script in a place where you will take it as a
trusted script. Running from a site that is supposed to have access
to said cookies is kind of a bonus for bad guy.

GoodGuy is oblivous and continues to use the site.

Yes, and the site itself continues to function as normal.

BadGuy visits and accesses TopSecret.html.

Perhaps not, bad guy only needs to place his script on the vulnerable
server. What that script does is ancillary to the XSS vulnerability.

Aha he says and crafts a site to look just like TopSecret.html

He could do that, and have his script send you to that site.

All badguy needs to do is fool GoodGuy and others to visit
BadGuy can get tons of personal information.

Not fool them, just send them - the script could send visitors elsewhere.

BadGuy can send GoodGuy and others emails to fool them to visit (I get This)

Not fool them...fooling someone to visit a site is beyond (or beneath)
the scope of XSS vulnerabilities. Social Engineering is another kind
of exploit in itself.

XSS isn't needed if you could just trick the user into divulging the info.

But there are (or should be) restrictions on what could be scripted in
an e-mail (some still feel e-mail shouldn't even be HTML let alone
support scripting). Scripting in e-mail should fall under untrusted but
as the XSS vector allows ingress of untrusted scripting into a trusted
scenario it is more powerful.

In the past (with IE/OE) I could use a "refresh" to make the receiving
client (OE) visit the website of my choice without the user having to
take any action (aside from having the preview pane enabled). This
has been fixed (hopefully) in recent versions, but such a thing can still
be done through XSS because your web client "trusts" the content
on the website.

BadGuy can post blog entries to fool GoodGuy and others to visit (i get this too).

XSS is not needed if you just want to fool users into doing something
unwise. In fact, it takes great effort to stop them from doing unwise
things - like circumventing LUA at the drop of a hat (another subject).

what i do not see is how badguy can somehow fool goodguy into arriving at durring one session of operation and steal private information.
BadGuy does not know who GoodGuy is.

None of this really has anything to do with XSS - there are examples in the
URL of what could be done with XSS - but the key feature is the running
of the script. If the script sends you to a bogus look-alike site to the one
you believe you are entering your information into - or it uses the fact
your onboard cookies for that legitimate site are available to be sent to
bad guy - it is still the script ingress method that is XSS.

It seems to me the GoodGuy can only arrive at badguy via an indirect
method like email or blog.
Is this correct?

Bad guy uses's XSS vulnerability to place a bad script to be
executed on the client machine when someone visits

Bad guy's untrusted script -->>trusted script for Good guy's

Cross Site Scripting

any help is appreciated.

if not, please explain how goodguy can be directed to durring
normal operation of

A reference to could be scripted. is not needed
for XSS.

"FromTheRafters" <erratic@xxxxxxxxxxxxxxxxx> wrote in message

"Scott Ocamb" <socamb@xxxxxxxxxxx> wrote in message
I would like some help in understanding XSS security vunerabilities.

i can see where a "hacker" could cause implementation vunerable to XSS
attacks inject java script to the page and cause weird stuff to happen
on his machine.

I can also see how a hacker could notice some vurerable code, and mock
up a page that looks legitimate, and send it to someone and cause them
to pass on private information to the hacker.

What i cannot understand is how a hacker could gather information from
another users session . and get private information. Is this possible
and if so how.

i have a customers site that has vunerable pages but we need to
prioritze what we fix and want to focus of pages where private
information is in play.

or i could have missed something else..

any help would be appreciated.