Re: [Webappsec] Tacking A Difficult Problem - Solutions

[Amit Klein <aksecurity () gmail com>]

Few more comments..

Amit Klein wrote:
> If this is a public site, and people access it through a forward proxy 
> (as I've seen several ISPs, universities, etc. force their clients to 
> do), or a transparent proxy (ditto), then the attacker doesn't have to 
> run malicious code on the client - the attacker can mount the attack 
> directly, through the proxy (assuming the attacker has "legit" access to 
> the same proxy). That's assuming at least one of the vulnerable scripts 
> can be accessed over port 80 (non-HTTPS).
>
> Moreover, even if the attacker cannot access the proxy server (or the 
> whose site must be accessed over HTTPS), HTTP Response Splitting can be 
> used to elevate an existing XSS problem into something bigger (see the 
> paper, pages 21-22).
>
>   

And even if the attacker doesn't have direct access to the proxy, he/she 
can force the client to conduct the attack, using Flash ("Sending 
arbitrary HTTP requests with Flash 7/8 (+IE 6.0)", 
http://www.securityfocus.com/archive/1/443391).

> > Sure you can split the response. But what exactly are you going to do 
> > with the second one?
> >     
>
> You can do XSS. See the paper - p.4 and pages 19-21.
>
>   

And browser cache poisoning too.


-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional XSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHA
--------------------------------------------------------------------------