Bugtraq mailing list archives
Re: recent 'cross site scripting' CERT advisory
From: metal_hurlant () YAHOO COM (Henri Torgemane)
Date: Tue, 8 Feb 2000 14:07:11 -0800
I believe you're not talking about the same kind of attack.. You're thinking about the traditional problems, where the servers tries to protect itself from evil clients. CSS is about a server trying to protect good clients from an evil third party. For that purpose, the server should trust good clients in order to prevent third party attacks. If that trust gets abused, at most, someone will be able to grab his own cookies, or modify his own form entries. Not a big deal. However, relying on that REFERER thingy to solve the CSS problem is risky. It's probably not reasonable to compare REFERERs to a set of every valid URLs, so most implementation would simply check if the hostname or IP is valid. This means it only takes one unprotected script somewhere on the web site to completely void the benefits of the check: The attacker would simply have to pipe his attack through the unprotected script to then have full CSS abilities. But if it is done right (i.e.: you're explicitely specifying which files don't need a REFERRER check, rather than trying to keep a list of every script that needs it), I believe it can provide instant CSS protection without having to audit all these server scripts right away. Regards, Henri Torgemane Ari Gordon-Schlosberg wrote:
[Bill Thompson <bill () DIAL PIPEX COM>]One form of protection from a truly *cross-site* attack that I didn't see mentioned in the CERT advisory is the trusty "HTTP_REFERER" check. But then, with so many sites using affiliate programs to get their search boxes and book-buying links distributed across the Web, there may be few major e-commerce sites that block requests based on the referral source.HTTP_REFERER is trivial to spoof, and it's likely that anyone perpetrating a sophisticated attack would laugh at having to spoof the Referer: header. It's a form of trusting the client, which is a big, huge, no-no. It's okay if you're trying to protect from someone seeing a page that should register for (like downloading a white paper), because it's not worth an attackers trouble to circumvent something like. But Referer: should never be used as a security measure. Hell, anyone with telnet can spoof a Refer: URL. -- Ari there is no spoon ------------------------------------------------------------------------- http://www.nebcorp.com/~regs/pgp for PGP public key
Current thread:
- Re: recent 'cross site scripting' CERT advisory, (continued)
- Re: recent 'cross site scripting' CERT advisory Marc Slemko (Feb 05)
- Re: recent 'cross site scripting' CERT advisory Manuel Martin (Feb 08)
- Novell BorderManager 3.5 Remote Slow Death Chicken Man (Feb 08)
- Re: Novell BorderManager 3.5 Remote Slow Death Ron van Daal (Feb 09)
- Re: Novell BorderManager 3.5 Remote Slow Death Puchatek (Feb 11)
- Re: recent 'cross site scripting' CERT advisory Bill Thompson (Feb 06)
- Re: recent 'cross site scripting' CERT advisory Ari Gordon-Schlosberg (Feb 07)
- Re: recent 'cross site scripting' CERT advisory Taneli Huuskonen (Feb 07)
- Re: recent 'cross site scripting' CERT advisory Peter W (Feb 08)
- Re: recent 'cross site scripting' CERT advisory Mikael Olsson (Feb 08)
- Re: recent 'cross site scripting' CERT advisory Henri Torgemane (Feb 08)
- Re: 'cross site scripting' defenses flynngn () JMU EDU (Feb 06)
- Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Feb 04)
- Sprint PCS vulnerable to malicious tags Paul Schreiber (Feb 04)
- Re: Bypass Virus Checking Nick FitzGerald (Feb 03)