Re: Cross site scripting explained

[<appsec () technicalinfo net>]

Hi there,

For a detailed paper on cross-site scripting (and other injection practices) I would recommend the following paper:  
http://www.technicalinfo.net/papers/CSS.html

It goes into alot of detail on the significance, what can/can't be done, a step through on a large site, and lots of 
options/methods on how to secure against the attacks.

For context on alternative ways on encoding methods (to bypass many of the common "dangerous character" filters) that 
can be used in conjunction with cross-site scripting, read the following paper:  
http://www.technicalinfo.net/papers/URLEmbeddedAttacks.html

Hope this all helps.



RE: >>>>>>>>>>>>>
In-Reply-To: <195f0718f5f1.18f5f1195f07 () icomcast net>

http://www.idefense.com/idpapers/XSS.pdf
http://www.cgisecurity.net/articles/xss-faq.shtml

Those papers are by Endler and Zeno...they should get
you informed.  If you don’t feel like reading, I'll try
to sum up the basic concepts for you and everybody else.

In general there are two types of XSS attacks,
transient and permanent.

Lets say you have an E-commerce site named example.com. Example.com uses their own type of session cookie to maintain 
state when a customer makes transactions. An example of a transient attack would be if I knew bob currently has the 
example.com cookie on his system. If I sent an IM to bob with a link that was specially crafted w/ an XSS attack 
payload that sent bob’s example.com cookie to a cookie collecting script at bobs-evil-wife.com. So now bob’s wife can 
use his cookie to session hijack his example.com account and do what she pleases on bob’s account.

Ok now lets say I have a message board, I want users to
make colorful posts so I allow HTML to be put into
posts, but I unfortunately I allowed everything
including javascript. An Evil user comes along and
inserts script into a post that when loaded,
automatically posts "I am a luser" to every message
board on the site, or it could do anything else the
evil user wants to do on behalf of all the visitors
that loaded the site up and were members of the board.

Here are examples from this month of XSS attacks: 
http://online.securityfocus.com/archive/1/303226/2002-12-06/2002-12-12/0
http://online.securityfocus.com/archive/1/303542/2002-12-13/2002-12-19/0
http://online.securityfocus.com/archive/1/303545/2002-12-13/2002-12-19/0


Sadly this type of hole is extremly easy to find in any  non-trival website...I've found hundreds all over major sites 
on the web. The developers just don't care much about them though because the second part of the attack, the user 
interaction, is difficult to accomplish. There has been much debate regarding if these types of vulns should be allowed 
on bugtraq. IMHO the disclosure of these types of attacks should be "moved" to webappsec list.

Cheers,

-Slow2Show-  <-- graduating Friday woo hoo!!
University of Florida 

> Can anyone explain to me or point me to a paper that
explains exactly 
> what cross site scripting is, and how it could be
useful/cause 
> problems for someone?  Thanks.
>
> Mike


_________________________________________
Webmail provided by Names.co Internet plc
http://www.names.co.uk