Vulnerability Development mailing list archives
Re: Cross site scripting explained
From: Slow2Show <sl2sho () yahoo com>
Date: 16 Dec 2002 20:10:01 -0000
In-Reply-To: <195f0718f5f1.18f5f1195f07 () icomcast net> http://www.idefense.com/idpapers/XSS.pdf http://www.cgisecurity.net/articles/xss-faq.shtml Those papers are by Endler and Zeno...they should get you informed. If you dont feel like reading, I'll try to sum up the basic concepts for you and everybody else. In general there are two types of XSS attacks, transient and permanent. Lets say you have an E-commerce site named example.com. Example.com uses their own type of session cookie to maintain state when a customer makes transactions. An example of a transient attack would be if I knew bob currently has the example.com cookie on his system. If I sent an IM to bob with a link that was specially crafted w/ an XSS attack payload that sent bobs example.com cookie to a cookie collecting script at bobs-evil-wife.com. So now bobs wife can use his cookie to session hijack his example.com account and do what she pleases on bobs account. Ok now lets say I have a message board, I want users to make colorful posts so I allow HTML to be put into posts, but I unfortunately I allowed everything including javascript. An Evil user comes along and inserts script into a post that when loaded, automatically posts "I am a luser" to every message board on the site, or it could do anything else the evil user wants to do on behalf of all the visitors that loaded the site up and were members of the board. Here are examples from this month of XSS attacks: http://online.securityfocus.com/archive/1/303226/2002-12-06/2002-12-12/0 http://online.securityfocus.com/archive/1/303542/2002-12-13/2002-12-19/0 http://online.securityfocus.com/archive/1/303545/2002-12-13/2002-12-19/0 Sadly this type of hole is extremly easy to find in any non-trival website...I've found hundreds all over major sites on the web. The developers just don't care much about them though because the second part of the attack, the user interaction, is difficult to accomplish. There has been much debate regarding if these types of vulns should be allowed on bugtraq. IMHO the disclosure of these types of attacks should be "moved" to webappsec list. Cheers, -Slow2Show- <-- graduating Friday woo hoo!! University of Florida
Can anyone explain to me or point me to a paper that
explains exactly
what cross site scripting is, and how it could be
useful/cause
problems for someone? Thanks. Mike
Current thread:
- Cross site scripting explained michael judge (Dec 15)
- RE: Cross site scripting explained Loki (Dec 16)
- Re: Cross site scripting explained Jirka Kosina (Dec 16)
- Re: Cross site scripting explained sullo (Dec 16)
- <Possible follow-ups>
- Re: Cross site scripting explained Dave Monnier (Dec 16)
- Re: Cross site scripting explained Stephen Friedl (Dec 16)
- RE: Cross site scripting explained Troy Patrick Frost (Dec 16)
- RE: Cross site scripting explained Arjen De Landgraaf (Dec 16)
- RE: Cross site scripting explained sreed (Dec 16)
- Re: Cross site scripting explained Slow2Show (Dec 16)
- Re: Cross site scripting explained appsec (Dec 20)