RE: Can you exploit this XSS?

["Parity" <parity () ghettohackers net>]

> As I understand XSS, it is only exploitable when user A enters data
> that user B views. XSS is moot when you can only do it to yourself

        Actually, that's incorrect...

        Provided that I, as an attacker, can induce someone to follow a
hyperlink, I can exploit XSS bugs like this.  For instance, if "XXX" is
a querystring parameter, all I have to do is get my victim to follow a
link like this:

http://www.vulnerable.com/page?exploitvar=foo%22%3e%%203cscript%3ealert(
'0wned!')%3c/script%3e%20%3c%bogustag%20foo%3d%22bar

        and then the following will be displayed to the victim:

<input type="hidden"  name="tageturl" value="foo">
<script>alert('0wned!')</script> <bogustag foo="bar">

        Sure, there's a minor amount of social engineering involved - I
need you to follow a link, but there's a lot of ways to make that
happen.  Especially when the link points to an app which the victim
trusts to behave itself.

        To Paul's original question, I don't think this bug is
exploitable because the app encodes the attacker-supplied " char, which
prevents the attacker's input from terminating the quoted attribute
value context.  By confining the attacker's input to that context,
whatever the attacker supplies will be interpreted as a literal by the
victim's browser.

        pty

-----Original Message-----
From: Scovetta, Michael V [mailto:Michael.Scovetta () ca com] 
Sent: Wednesday, November 19, 2003 8:46 AM
To: Paul Johnston; vuln-dev () securityfocus com; rich () westpoint ltd uk
Subject: RE: Can you exploit this XSS?

As I understand XSS, it is only exploitable when user A enters data that
user B views. XSS is moot when you can only do it to yourself, so
screens
like that (a redirect), is just a convenience for the user. It should
still be properly clensed, but I don't see this being a true case of
XSS,
more like JavaScript Injection.

Michael Scovetta
Application Developer
Computer Associates International, Inc.


-----Original Message-----
From: Paul Johnston [mailto:paul () westpoint ltd uk]
Sent: Wednesday, November 19, 2003 7:51 AM
To: vuln-dev () securityfocus com; rich () westpoint ltd uk
Subject: Can you exploit this XSS?


Hi,

While auditing a web app, I've found the site redirects not found pages 
to a login screen. This contains an element like:

<input type="hidden"  name="tageturl" value="XXX">

Now, the XXX bit is controlled by the user, and it seems the only 
characters escaped are " and & - i.e. 
<script>alert(document.cookie)</script> gets through (hence my tool 
alerted me).

Can this be exploited for XSS? I can't see how to immediately, but it 
seems possible.

Paul

-- 
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk