Full Disclosure mailing list archives
Re: Search Engine XSS
From: Bill Pennington <billp () boarder org>
Date: Wed, 23 Jul 2003 15:52:51 -0700
It really is so site specific that it is hard to say. The thing to remember about XSS is that general attack vectors are client-to-client. So user "a" can attack user "b". It is really not a client-to-server attack. The most common attack scenario that I have seen is getting user b to click on a link and sending the users cookie from a XSS'able site to another site. Then the attacker (user a) can use that cookie to become user b. There are 2 types of XSS, URL based (aka transient) and permanent, where the code is placed in some place that is viewed by a number of users (like web mail, auctions, classifieds, chat boards ,etc...)
Most web app geeks call permanent XSS HTML injection these days.Now sites that have permanent XSS might also be vulnerable to SSI injection. That is when it becomes a client-to-server attack.
If you are interested you might want to check out the following URLS http://www.owasp.org/asac/input_validation/css.shtml http://www.cgisecurity.com/articles/xss-faq.shtmlOf course a google search for "Cross Site Scripting" will turn up a bunch of good links as well.
On Wednesday, July 23, 2003, at 03:35 PM, Shanphen Dawa wrote:
So why not show one of these legitimate examples instead of the overused window popup script?It would just be easier to ascertain the level of severity if an actual DoS string or this "trusted internal call" was exploited.I am sure there are a lot of forms that can be a victim of a xss string, but how many of them can actually be used for anything useful (from an attacker point of view)?On Wed, 23 Jul 2003 11:34:53 -0700 "morning_wood" <se_cur_ity () hotmail com> wrote:both..consider that the server must process the requests.. i think it can be aCan you use this to DoS the server?DoS issue with enough length and quanity of the requests.Can you use this to gain access to areas on the server otherwise notavailable? many servers assume a call to "/somefolder/somefile.ext" is a trusted internal call. where http://theserver/somefolder/somefile.ext morning_wood http://exploitlabs.com-- /* "To avoid all evil, to cultivate good, and to cleanse one's mind this is the teaching of the Buddhas." Martin Ekendahl http://www.hardlined.com martin () hardlined com */ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Search Engine XSS morning_wood (Jul 23)
- Re: Search Engine XSS Liu Die Yu (Jul 23)
- Re: Search Engine XSS Shanphen Dawa (Jul 23)
- Re: Search Engine XSS northern snowfall (Jul 23)
- Re: Search Engine XSS morning_wood (Jul 23)
- Re: Search Engine XSS Shanphen Dawa (Jul 23)
- Re: Search Engine XSS Bill Pennington (Jul 23)
- Re: Search Engine XSS Sam Baskinger (Jul 23)
- Re: Search Engine XSS Sam Baskinger (Jul 23)
- <Possible follow-ups>
- Re: Search Engine XSS bobby manly (Jul 23)