Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Cross Site Scripting holes abound

From: <security () devitry com>
Date: 17 Nov 2001 02:05:53 -0000
Mailer: SecurityFocus

:::  Summary  :::: 

   Over a year and a half since CERT issued 
warning on Cross Site Scripting, most dynamic 
websites are _still_ not filtering user input.  This 
lets remote sites access to write scripts on vunlerable
sites, stealing cookies, performing actions on behalf
of user or modifying look of content on site.  I did a 
quick 
check of the top 15 sites (and other sites I use) and 
found holes in _most_ of them. 

:::  Sites Affected :::
   
   http://www.microsoft.com/
   http://www.msnbc.com/
   http://www.oracle.com/ 
   http://www.about.com/ 
   http://www.doubleclick.net/ 
   http://www.netscape.com/
   http://www.paypal.com/
   http://www.google.com/
   ... many more not listed.... 

:::  Details :::: 

   In general, if you can replace any url parameter with
""><script>alert(document.cookie)</script>"
 and you get an alert, the site may be vulnerable. 

   Samples and details listed at 
  http://www.devitry.com/security.html 

    The samples on the above site take it one step 
futher and send the cookie data to another site.  

    Even https sites are vulnerable since cookie data
is available to javascript on page.

::::  Fix  ::::: 

  You should validate or filter all user input, including
hidden form fields and id's passed in url's before
the data is written out to the page.  Any poorly 
written script on your whole domain could give you 
problems.  (even old ones that do nothing like 
testenv)  Filtering or encoding is should be done 
for  ", >, < and sometimes ' 

  You should monitor for "script" passed in url's to 
your site... However, blocking in the url alone
is not good enough as the parameter could be passed
in "POST" data. 

  For sites that have your data, you should always 
log out at the end of your session, and you should
not surf more then one site at a time. 

:::  Discussion ::: 

  Most of these holes were discovered in a matter of 
minutes.  It takes more time just to find out the owner
of the site and explain to them why this is a problem. 
Is there anyway to fix this on a more global basis?  

While these types of holes are not instantly mass
exploitable, it is good (or bad, depending on how you 
look at it)  for targeting specify users and sites to 
steal sessions and personal info. 

 -Dave deVitry 
  security () devitry com 

ps. microsoft.com exploit url withheld because they 
 think they are safer that way. 

pps. all websites involved were contacted, but most
had no timely reply.
Previous By Date Next
Previous By Thread Next

Current thread: