Full Disclosure mailing list archives
Re: Cross-Site Scripting - an industry-wide problem
From: "Berend-Jan Wever" <skylined () edup tudelft nl>
Date: Fri, 24 Dec 2004 15:53:35 +0100
I looked at XSS in mayor websites in 2002 and found most of them vulnerable then, I reported it to them and full-disclosure. Apparently nothing's changed: either it is not an issue or not enough of an issue for them to spend money on. I wrote two short papers on XSS, they can be found here: http://www.edup.tudelft.nl/~bjwever/whitepaper_xss.html http://www.edup.tudelft.nl/~bjwever/whitepaper_xss2.html Cheers, Berend-Jan Wever SMTP: <skylined () edup tudelft nl> HTTP: http://www.edup.tudelft.nl/~bjwever MSN: Skylined () edup tudelft nl IRC: SkyLined in #SkyLined on EFNET PGP: key ID 0x48479882 ----- Original Message ----- From: "morning_wood" <se_cur_ity () hotmail com> To: "mikx" <mikx () mikx de>; <full-disclosure () lists netsys com>; <bugtraq () securityfocus com>; <NTBUGTRAQ () LISTSERV NTBUGTRAQ COM> Sent: Friday, December 24, 2004 07:42 Subject: Re: [Full-disclosure] Cross-Site Scripting - an industry-wide problem
quite commom, funny because xss can be used in PHISHING attacks. instead of <alert blah> try some html redirects to a hosted site with a fake login spoofing the original content ( a login page ) and capture username/password then pass them to the real login page. or better yet... xss dos attacks, like. [script] alert("oh no") ;window.close() [/script] but i guess xss is just kiddi play... or is it? m.wCross-Site Scripting - an industry-wide problem =============================================== In early december i started a series of tests to find Cross-Site Scripting (XSS) vulnerabilities. It quickly turned out that the majority of allmajorwebsites suffer some kind of XSS. This is a disclosure of 175 vulnerabilities at once. Enjoy the ride... Test scenario ============= A site was considered affected if it is possible to inject a javascriptintothe output page by making a browser GET or POST request to the webserver.Asa proof-of-concept the script "alert(document.cookie)" got used. All tests were made on a fully patched WinXP SP2 machine and Internet Explorer 6. Most of the proof-of-concept links in this report will notworkusing another browser, mainly because in many cases i used javascript in styles which isn't supported by browsers like Firefox and because Firefox automaticly applies character encoding to a URL. I was just too lazy totesteach issue cross-browser, so this doesn't mean automaticly that Internet Explorer is more vulnerable to XSS. Impact ====== In many cases XSS is reduced to the attack of stealing session cookies,butXSS can be used to do a lot more things. Using DOM manipulation you can change the target of a login form or fake one, change download links or simply insert your own content into a website. As part of mass-mailingsthiscan be used for login data phishing, spreading of malware or distributionoffalse news that seem to come from a trustworthy source (which is an intresting option for daytraders on penny stocks for example). Don't forget that the injected script is running in the security contextofthe affected site. If you know who you are attacking and that the victimhasthe affected site in a special trusted zone it can be possible to execute "not safe for scripting" ActiveX controls - giving you more or less total control. In intranets and for extranet web applications this is a not so uncommon configuration. For sure XSS is nothing compared to a remote buffer overflow. But only because this "worst case scenario" is happening quite often these days, it does not mean XSS is not a security issue. XSS flaws are easy to find and spammers are always searching for new stuff. Finally for some sites on the list dedicated to security a XSS flaw isjustan embarrassing thing ;) Affected sites ============== This list is reduced to the second-level domain for readability andpostingsize. This isn't always fair since sometimes a sub-domain is indepentend from the SLD. Please download the complete list of proof-of-concept links from http://www.mikx.de/xss.php. All webmasters were informed by an email and/or their website feedbackformsduring december, to give them a fair chance to react. Some of them replied really quick and patched the issue in a few hours, others (sadly a lot) never replied. If you are responsible for one of the affected sites andyouhave not been informed or are not able to reproduce the issue, pleasedon'thesitate to contact me. The sites in the tests were picked at random from international and german major websites and/or sites related to security/computers. I just tested what came to my head - so there is no "hidden message": about.com, activestate.com, adobe.com, altavista.com, amazon.com, amd.com, annoyances.org, aol.com, apache.org, apple.com , archive.org, arcor.de, ask.com, ati.com, bahn.de, bitdefender.de, blizzard.com, blogdex.net, blogger.com, bloogz.com, ca.com, ccc.de, cdu.de, chip.de, ciao.de,cert.org,chillingeffects.org, cnn.com, comdirect.de, consors.de, csialliance.org, csu.de, dell.com, daypop.com, divx.com, dooyoo.de, doubleclick.com, download.com, easycredit.de, ebay.com, etrade.com, evite.com, excite.com, fedex.com, fimatex.de, flexwiki.com, fool.com, free-av.de, freshmeat.net, fsf.org, fujitsu.com, gamestar.de, gm.com, gmx.net, gnu.org, go.com, golem.de, google.com, groupee.com, gruene-partei.de, guenstiger.de, heise.de, hosting.com, hp.com, ibm.com, icq.com, idealo.de,imagemagick.org,infineon.com, informationsecurityireland.com, infospace.com, intel.com, itaa.org, izb.de, jamba.de , juno.com, kde.org, kelkoo.de, kerio.com, liberale.de, linspire.com, looksmart.com, lufthansa.com, lycos.com, macromedia.com, mandrakesoft.com, mayflower.de, mcafee.com, meetup.com, messagelabs.com, metacrawler.com, metadot.com, microsoft.com, mlb.com, mnogosearch.org, modblog.com, modssl.org, mozilla.org, mozillazine.org, msdn.com, msn.com, msnbc.com, nasa.gov, nationalgeographic.com, nba.com, netiq.com, nfl.com, netflix.com, netscape.com, nokia.com, novell.com, nytimes.com, onlinekosten.de, opencores.org, openssl.org, opera.com, oracle.com, paypal.com, pc-magazin.de, pcpowerplay.de, pcwelt.de, phpcenter.de, pmwiki.org, privacy.org, pro7.de, ptb.de, postgresql.org, quoka.de, reactos.com, real.com, redhat.com, redvsblue.com, riaa.com, rtl.de, ryanair.com, sans.org, sbroker.de, securityfocus.com, securityspace.com, shutterfly.com, slashdot.org, snocap.com, sony.com, sourceforge.net, sparkasse.de, spd.de, spreadfirefox.com, squid-cache.org, sqlite.org, staysafeonline.com, stern.de, strato.de, sun.com, suse.de, technorati.com, telekombusiness.de, theonion.com, tiscali.com, tomshardware.com, uci.edu , ups.com , upside.de, us-cert.gov,validome.org,varbusiness.com, vasoftware.com, viruslist.com, w3.org, web.de, worldofwarcraft.com, wsj.com, xoom.com, yahoo.com, yopi.de, zonelabs.com References ========== It turned out that in some cases third party software used on the websites are suffering a bug. Here the Common Vulnerabilities and Exposures (cve.mitre.org) names: CAN-2004-1059 mnogosearch (as used at www.redhat.com) CAN-2004-1061 bugzilla (as used at bugzilla.mozilla.org bug #272620) CAN-2004-1062 viewcvs (as used at cvs.apache.org) CAN-2004-1146 cvstrac (as used at cvs.openssl.org) http://www.slashcode.com/article.pl?sid=04/12/15/1540200 http://www.mnogosearch.com/winhistory.html Credits ======= I woud like to thank a few people for helping me out through the tests and working on fixing the issues as quickly as possible: Christoph "Locke" Wehrmann (for making me addicted to XSS) Mark J Cox (Red Hat Security Response Team) Daniel Bachfeld (heisec) Jamie McCarthy and Chris Nandor (slashcode) Alexander Barkov (mnogosearch) Microsoft Security Response Center Google Security Team Bugzilla Team Everybody who responded to my report mail :) Contact ======= Michael Krax <mikx () mikx de> http://www.mikx.de/ Happy Holidays! mikx _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Cross-Site Scripting - an industry-wide problem mikx (Dec 24)
- Re: Cross-Site Scripting - an industry-wide problem morning_wood (Dec 24)
- Re: Cross-Site Scripting - an industry-wide problem Berend-Jan Wever (Dec 24)
- Re: Cross-Site Scripting - an industry-wide problem morning_wood (Dec 24)