Re: Can you exploit this XSS?

[Paul Johnston <paul () westpoint ltd uk>]

Hi Michael,

What you describe is "persistent XSS" and the worst kind. But the lesser 
kind, like I described, is still a vulnerability. If you can persuade a 
user to click a malicious link, the malicious javascript will run in 
their browser with the priviliges of the vulnerable site. Getting 
someone to click a link is relatively easy, especially as they may not 
have to literally click it, because of iframe, redirects, etc.

Paul



Scovetta, Michael V wrote:

> As I understand XSS, it is only exploitable when user A enters data that
> user B views. XSS is moot when you can only do it to yourself, so screens
> like that (a redirect), is just a convenience for the user. It should
> still be properly clensed, but I don't see this being a true case of XSS,
> more like JavaScript Injection.
>
> Michael Scovetta
> Application Developer
> Computer Associates International, Inc.
>
>
> -----Original Message-----
> From: Paul Johnston [mailto:paul () westpoint ltd uk]
> Sent: Wednesday, November 19, 2003 7:51 AM
> To: vuln-dev () securityfocus com; rich () westpoint ltd uk
> Subject: Can you exploit this XSS?
>
>
> Hi,
>
> While auditing a web app, I've found the site redirects not found pages 
> to a login screen. This contains an element like:
>
> <input type="hidden"  name="tageturl" value="XXX">
>
> Now, the XXX bit is controlled by the user, and it seems the only 
> characters escaped are " and & - i.e. 
> <script>alert(document.cookie)</script> gets through (hence my tool 
> alerted me).
>
> Can this be exploited for XSS? I can't see how to immediately, but it 
> seems possible.
>
> Paul
>
>  

--
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk