Vulnerability Development mailing list archives

Re: CSS implication

From: "Sverre H. Huseby" <shh () thathost com>
Date: Thu, 21 Mar 2002 15:19:26 +0100

[b0iler]

|   you can change the html of a page.  dangerous for example if the
|   user is supposed to input their username and password, you can
|   change where the form is sent, making it instead a logging script
|   set up on your server.

Imagine an application in which customers would register a request to
transfer money from one place to another.  The transfer request was
stored in a database.  Before the transaction took place, it would be
confirmed by a trusted employee using a web interface to the database.
The employee would eg. check that the source account was in fact owned
by the person doing the request.

The problem was that it was possible to insert scripts in descriptive
fields.  One could thus register the request with an invalid (someone
else's) account, and include a script that would modify the web page to
display a valid account.  The trusted employee would read the account
number given by the script, while the database still contained the
forged account.  1-0 to the bad guy.


Sverre.

-- 
shh () thathost com                     Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/                http://nerdquiz.thathost.com/

Current thread:

Re: CSS implication, (continued)
- - Re: CSS implication Bill Weiss (Mar 17)
- Re: CSS implication zero (Mar 17)
  - Re: CSS implication Jeremiah Grossman (Mar 18)
    - Re: CSS implication zero (Mar 18)
    - Re: CSS implication Jeremiah Grossman (Mar 19)
    - Re: CSS implication Sverre H. Huseby (Mar 23)
- RE: CSS implication Matt Priestley (Mar 17)
  - Re: CSS implication Arta (Mar 18)
- Re: CSS implication b0iler _ (Mar 20)
  - Re: CSS implication HarryM (Mar 21)
  - Re: CSS implication Sverre H. Huseby (Mar 21)