Full Disclosure mailing list archives
Non-Lame XSS Vulnerability - Analog-X Proxy
From: Chris Sharp <illectro2001 () yahoo com>
Date: Mon, 25 Aug 2003 11:09:35 -0700 (PDT)
How about this for a halfway useful XSS issue, analog-X proxy includes an HTTP proxy, when a domain fails a DNS lookup it will return an error page with the failed domain name in it. OK great so we can steal cookies from any web page on the internet providing it doesn't resolve. Not a lot of use I hear you say. OK maybe you can take down a nameserver long enough to steal cookies from some site, how.... Unelegant. But, the real trick is when you compare the URL parsing of MSIE and AnalogX - say with a URL like.... http://www.yahoo.com<script>alert(document.cookie)</script> well MSIE thinks that this is for the domain www.yahoo.com, and so it uses the cookies from that domain. However AnalogX thinks that this is for the domain www.yahoo.com<script>alert(document.cookie)</script> Unless you have very fucked up DNS this won't resolve to anything and AnalogX will return an error page containing the script. Now if you're a smart hacker you can create a chain of redirects using your server and the XSS urls, bounce the target to a whole host of urls and steal all their cookies, find those Domains for which the user has set low security settings and exploit these if you like. Or whatever you want to accomplish with your newfound global XSS prowess. Chris Sharp __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Non-Lame XSS Vulnerability - Analog-X Proxy Chris Sharp (Aug 25)