Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CSS, CSS & let me give you some more CSS

From: tmorgan-security () kavi com
Date: Tue, 29 Jan 2002 12:51:40 -0800
Maybe I have completely missed the boat on this one, and if so,
please explain how I could attack someone ELSE with these...


A friend just explained it to me.  I guess I kinda did miss the
boat...  I will explain it here so that others who are confused as I
was can learn from this as well.  If my reasoning is flawed, I
would like to hear about it:

The victim has an account on a site which uses cookies for
authentication.  An attacker sends them a link (in email, or
otherwise) to that site with javascript encoded in the GET of the URL.  
This GET string activates the search functionality of the site, thus 
causing the javascript to be run, which steals the victim's cookie
and sends it back to evilhost.com in another GET.  

Of course other scenarios exist, but this is just one example.


Side note:
 On the subject of ethics... I am all for full-disclosure policies.
 However, in many cases, disclosing web application vulnerabilities
 is senseless if the application is only served up by a single
 entity.  The whole point in disclosure is so that those running the
 buggy applications can do the footwork and download the applicable
 patches.  In the case of custom web applications that run on one
 small set of servers, I don't see how full disclosure PRIOR to a
 fix is needed.  If a web application is buggy, and it is only
 running on one site, a fix benefits ALL users immediately.
 Disclosure prior to this only opens the site and its users up for
 attack.  Of course if the people running the site refuse to fix it,
 that is another matter...
 
sincerely,
tim
Previous By Date Next
Previous By Thread Next

Current thread: