WebApp Sec mailing list archives
Re: Advanced XSS paper and semi-new attack
From: Härnhammar, Ulf <Ulf.Harnhammar.9485 () student uu se>
Date: Mon, 20 Oct 2003 12:50:58 +0200
That's an interesting paper! Some points I thought about while reading it: * Many environments (PHP, Perl+CGI.pm) accept both POSTed and GETted data. At least in some circumstances, they just put it in a structure for incoming data without much regard for what HTTP method was used. * Several HTML constructs (<img>, <frame>, <iframe>..) will make the web browser start fetching a URL as soon as the web browser sees it, without asking the user first. In environments where there is either an XSS problem or an HTML filter that allows these constructs, they can be used for either: a) performing actions in a web application under other people's names. For example, <img src="password-change.php?new=client&again=client"> b) using someone else as a proxy for cracking into some server. For example, <frame src="ftp://ftp.vulnerable.org/AAAAAAAAAAAAAAAAAAAAAbufferoverflowfromhellAAA"> * An additional difficulty is that web browsers accept redirects for images, so someone could include an image ostensibly pointing to a PNG image on their server but which immediately redirects to a mail sending script at your server. * This evil redirect problem isn't just related to XSS and such things. It can also be used together with social engineering. If people see an interesting link and click it, they don't expect the link to redirect back to the web application that they're logged in to and do nasty things there, but it can happen. (I'm not sure if this information was new or not, just some stuff I've had lying around in my notebooks for months without writing it up.) -- Ulf Härnhammar, student, Uppsala Universitet "My ideas / often hit / platform six at London Bridge / took a train / thought of you / only until Waterloo" -- Vic Twenty, "Kiss You" På spaning efter den webbransch som flytt http://home.student.uu.se/ulha9485/text/webbransch.html kses - PHP HTML/XHTML filter http://sourceforge.net/projects/kses
Current thread:
- Advanced XSS paper and semi-new attack Gavin Zuchlinski (Oct 18)
- <Possible follow-ups>
- Re: Advanced XSS paper and semi-new attack Härnhammar , Ulf (Oct 20)
- Re: Advanced XSS paper and semi-new attack Härnhammar , Ulf (Oct 20)