Re: A question of the xss vulnerability's Proof of concept

[Justin Klein Keane <justin () madirish net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Your confusion, it seems to me, is common.  Generally XSS is
demonstrated as a simple alert box.  This PoC shows that JavaScript can
run.  The vulnerability is much deeper than an alert box, and goes to
the heart of why XSS is often not evaluated as a dangerous
vulnerability.  The PoC is harmless, but demonstrates that attackers
could inject much more damaging code than an alert box (Ref:
http://www.zdnet.com/blog/security/apacheorg-hit-by-targeted-xss-attack-passwords-compromised/6123).


Arbitrary script injection allows the attacker to craft code that
executes client side with the domain of the origin site.  This bypasses
much of the same origin protections built into JavaScript.  Attackers
can also inject script that writes additional HTML to the page, such as
iframes that source malicious drive by download sites, Flash, Java
applets, or other plugin driven software that could compromise a host,
write HTML to obscure parts of the page, and make AJAX GET and POST
requests from the page to external sources.  The possibilities are
nearly limitless.  If there are XSRF vulnerabilities in the site,
arbitrary script could allow an attacker to leverage those as well,
doing things like changing administrative settings, adding new accounts,
changing privileges, etc.

So on the surface it looks like the PoC is just a lame pop-up box.
However, the pop-up box demonstrates that an attacker can actually
execute script limited only by their imagination.  Hope this helps.

Cheers,

Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey

On 08/08/2010 11:30 AM, supercodeing35271 supercodeing35271 wrote:
> Hi,i have a rookie's puzzle of some xss vulnerability bug report.
> If there is a vulnerability Poc in a report just like this:
> http://www.example.com/index.php?id=<img src=g
> onerror=alert(document.cookie)> or
> http://www.example.com/index.php?id=<img src=g onerror=alert("xss")>
>
> OK,this may cause a alert when run the url.But my question is that why
> it can say this:
> "Vulnerability Details:
> User can execute arbitrary JavaScript code within the vulnerable application."
>
> I see many report have the same words.Why a alert could be output then
> we just can say "User can execute arbitrary JavaScript code within the
> vulnerable application"?
> The last is that i am a rookie,seems that this is a stupid ask but it
> is a true puzzle on me.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkxe0MkACgkQkSlsbLsN1gAWJQcAoLi9sJ1buu2mtc5zVS1/qZ4T
W3caTa5GBg5G5MNNH/GUN/5wyiAcKp9TWZpQkClNvyeLoUDYzTV3WcTbei4XYBMo
L9kZ8QJY8cqCPIPu+g+vq0bzl+Wv2dQgGWV/Rye7UZ5GX1YVx/I930Xt9LYM3p0i
Gq/mhg+871ih5Ox7YMx0vioPSia6mr3I1smDMf4yG25L4/9FAMHI2v1Dq4VUTdY0
Qh/Oh9TKlWTsbzNiSor6/V2/K/nXY6t9W/z9Vucw9ElY7nIAfJA4yXiuEmgsqqpn
aBAzJ603KKx15NuYIp8=
=dizz
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/