Vulnerability Development mailing list archives
RE: Can you exploit this XSS?
From: "Parity" <parity () ghettohackers net>
Date: Sun, 23 Nov 2003 12:57:08 -0800
As I understand XSS, it is only exploitable when user A enters data that user B views. XSS is moot when you can only do it to yourself
Actually, that's incorrect... Provided that I, as an attacker, can induce someone to follow a hyperlink, I can exploit XSS bugs like this. For instance, if "XXX" is a querystring parameter, all I have to do is get my victim to follow a link like this: http://www.vulnerable.com/page?exploitvar=foo%22%3e%%203cscript%3ealert( '0wned!')%3c/script%3e%20%3c%bogustag%20foo%3d%22bar and then the following will be displayed to the victim: <input type="hidden" name="tageturl" value="foo"> <script>alert('0wned!')</script> <bogustag foo="bar"> Sure, there's a minor amount of social engineering involved - I need you to follow a link, but there's a lot of ways to make that happen. Especially when the link points to an app which the victim trusts to behave itself. To Paul's original question, I don't think this bug is exploitable because the app encodes the attacker-supplied " char, which prevents the attacker's input from terminating the quoted attribute value context. By confining the attacker's input to that context, whatever the attacker supplies will be interpreted as a literal by the victim's browser. pty -----Original Message----- From: Scovetta, Michael V [mailto:Michael.Scovetta () ca com] Sent: Wednesday, November 19, 2003 8:46 AM To: Paul Johnston; vuln-dev () securityfocus com; rich () westpoint ltd uk Subject: RE: Can you exploit this XSS? As I understand XSS, it is only exploitable when user A enters data that user B views. XSS is moot when you can only do it to yourself, so screens like that (a redirect), is just a convenience for the user. It should still be properly clensed, but I don't see this being a true case of XSS, more like JavaScript Injection. Michael Scovetta Application Developer Computer Associates International, Inc. -----Original Message----- From: Paul Johnston [mailto:paul () westpoint ltd uk] Sent: Wednesday, November 19, 2003 7:51 AM To: vuln-dev () securityfocus com; rich () westpoint ltd uk Subject: Can you exploit this XSS? Hi, While auditing a web app, I've found the site redirects not found pages to a login screen. This contains an element like: <input type="hidden" name="tageturl" value="XXX"> Now, the XXX bit is controlled by the user, and it seems the only characters escaped are " and & - i.e. <script>alert(document.cookie)</script> gets through (hence my tool alerted me). Can this be exploited for XSS? I can't see how to immediately, but it seems possible. Paul -- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk
Current thread:
- Can you exploit this XSS? Paul Johnston (Nov 19)
- Re: Can you exploit this XSS? Robin (Nov 19)
- Re: Can you exploit this XSS? Paul Johnston (Nov 19)
- Re: Can you exploit this XSS? dd (Nov 19)
- Re: Can you exploit this XSS? Sverre H. Huseby (Nov 20)
- Re: Can you exploit this XSS? Paul Johnston (Nov 20)
- Re: Can you exploit this XSS? mark (Nov 25)
- Re: Can you exploit this XSS? Peter Pentchev (Nov 26)
- <Possible follow-ups>
- RE: Can you exploit this XSS? Scovetta, Michael V (Nov 19)
- Re: Can you exploit this XSS? Paul Johnston (Nov 19)
- RE: Can you exploit this XSS? Parity (Nov 24)
- RE: Can you exploit this XSS? Dawes, Rogan (ZA - Johannesburg) (Nov 21)
- Re: Can you exploit this XSS? Sverre H. Huseby (Nov 21)
- Re: Can you exploit this XSS? Robin (Nov 19)