New thoughts on CSS

["Brett Moore" <brett () softwarecreations co nz>]

People are talking about CSS, yes still after many years it is a security
problem. Some people say 'what sort of a problem, yes you can steal cookies
but what else?,

So how about new ideas.

How about using CSS to exploit vulnerabilities in web sites, with some
degree of anonyminity.

Example:

hello.asp takes 1 paramater (name) that is displayed to the screen with no
cleansing.

/hello.asp?name = <iframe
src=http://vuln.iis.server/scripts/root.exe?/c+dir></iframe>

I used iframe in the example as it shows something visible on the screen.
But an attacker would need no response from the server so image tags etc are
all viable.

Example Scenario.
-----------------

Web board has CSS and also runs vuln iis. Attacker posts message with css
exploit that kills the server. User comes along reads message and users ip
gets logged as killing the server. This could even be set to kill a
different iis server.

------------------

Feedback is requested of course, and perhaps somebody will have time and
energy to test further.

How about other exploits?
Custom made .ida overflow code
<iframe src=http://vuln.iis.server/a.ida?XXX....XXX{CUSTOM IDA OVERFLOW
CODE}></iframe>


Brett


> -----Original Message-----
> From: E M [mailto:rdnktrk () hotmail com]
> Sent: Saturday, 2 February 2002 08:14
> To: billp () boarder org; vuln-dev () securityfocus com
> Subject: Re: CSS, CSS & let me give you some more CSS
>
>
> I think we are getting away from the original topic, CSS and how
> it effects
> you.
>
> Basically the general agreement is that cookie stealing via
> embedded code is
> the most dangerous use for CSS and the most common.