WebApp Sec mailing list archives
Re: XSS
From: Matthew Miller <mmiller () atstake com>
Date: Wed, 11 Dec 2002 08:03:49 -0500
John- Two things....First, there are really two types of XSS. Persistent, where the injected code is stored within the web application, such as in distribution lists, databases, etc..., Transaction based, requiring a user to perform an action in order to be affected, such as click on a link, view a page with malicious script in it, etc... Therefore, any site that is accepting any form of user input is potentially vulnerable...though the risk of persistent XSS exceeds the risk of transaction based XSS in most cases.
Second, XSS is not only used to grab a users session ID. An attacker could inject code into the page to redirect the user or modify presentation of content. Imagine an corporate site where you could add/modify a press release or news items, could you impact the companies stock price or lessen consumer confidence? Imagine a pharmaceutical site where you could modify dosage for medication, could you get someone to overdose?
mm -- Matthew P. Miller www.atstake.com On Tuesday, December 10, 2002, at 11:35 AM, John Madden wrote:
Hi All, Thanks to everyone for their responses. Maybe i did not express myself well enough. What I wanted to know is if a site is vulnerable to XSS but doesn't allow any write operation, any postings for other users to actualy use the malicious URL, can it be used for something else ? The reason i'm asking is that the company I work for is vulnerable but doesn't allow any kind of user input (basicly it's just information site) We have to weight the treath vs cost, if nothing can be done with the XSS (no to say that they will never allow any user input...) then it will have a lower priority in the recommendations and if to fix all the web pages cost mucho $$$$ then we have to consider that as well. Any ideas ? --- Kevin Spett <kspett () spidynamics com> wrote:We've got an XSS paper that describes a real attack in technical detail. The scenario it uses is a bank login page that uses client-supplied data for a login-failed error message. http://www.spidynamics.com/mktg/xss I hope it helps. Kevin Spett SPI Labs http://www.spidynamics.com/ ----- Original Message ----- From: "John Madden" <chiwawa999 () yahoo com> To: <webappsec () securityfocus com> Sent: Tuesday, December 10, 2002 9:38 AM Subject: XSSHello all, Being new to XSS and seing alot of messages in the last couple weeks on the subject got mewondering...What is the real vulnerability if the site in questions is vulnerable to XSS but does not letyouwrite any malicious scripts on the system, like message board, forums etc... ? Can anything bedone toexploit XSS if the above scenario occurs ? I knowitdepends on the web server, packages installedetc...I'm asking in generaly is it possible ? You can do the document.cookie and view your cookie, that migth give a hint on the structurebut...or redirect yourself to another web site :) etc... I've read the document on XSS by David Endler http://www.idefense.com/papers.html but still have some questions. If possible, can the XSS guru's on the list shedsomelight on the subject. Thanks for your time, Cheers __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign upnow.http://mailplus.yahoo.com__________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com