Re: CSS, CSS & let me give you some more CSS

[Slow2Show <sl2sho () yahoo com>]

In-Reply-To: <20020129113027.B10678 () kavi com>

> Ok, so I am a little confused.  My understanding of
> CSS is that an attacker is trying to reach a victim 
> through a 3rd party website. For instance, I post a 
> message to a message board that contains
> javascript, and it runs on a victim's machine, who
> viewed that message.  

Yes this is one form of webApp attack you are using 
the CSS attack vector to return user injected 
script/HTML/PHP back to a page that is viewable by 
other website visitors...this is one of the more 
damaging attacks...but isn't all that CSS is limited to

> The reason I am confused is that, all of your
> supposed CSS vulns are directed at search
> scripts.  Do the queries you are entering get stored
> on the website, for later viewing by OTHER users? 
> It doesn't seem likely.  The only person you could
> exploit would be, well, yourself.  

Search engine inputs are notorious for not sanitizing 
user input..I believe that is why phine chose to focus 
them...and yes you do bring up a good point, the 
website queries could be stored on a website...to be 
viewed later by someone interested in seeing what 
people are searching for....company user loads up 
the admin query page...user injected script is 
executed, and that website's cookie has now been 
processed by the attackers "cookie collection PHP 
script(CCPS) on a remote server.

How could this affect John Q. Surfer?
well lets say I send him a link with a partial Hex 
converted URL ex:
http://website.com/someform?input=%73%75%70

This could be used in a Social Engineering attack to 
trick another user to visit this link and have their 
cookie stolen by the attacker's CCPS...or the attacker 
could use javascript to manipulate the DOM and act 
on the users part to do various actions...lets say post 
a message automatically on a forum.

> Maybe I have completely missed the boat on this
> one, and if so, please explain how I could attack
> someone ELSE with these...
No you just didn't see the whole boat through the 
fog...cheezy I know ;-)

> Now if you showed me that I could slip SQL into one
> of these search boxes, then I would call that a
> vulnerability...
that is a whole other story....

reference linx:
http://www.cert.org/tech_tips/malicious_code_mitigati
on.html
http://www.owasp.org/
http://httpd.apache.org/info/css-security/

-Slow2Show-
University of Florida

Disclaimer: I'm just a stupid college kid!