Re: XSS

[zeno <bugtraq () cgisecurity net>]

> Hi All,
>
> Thanks to everyone for their responses.
>
> Maybe i did not express myself well enough. What I 
> wanted to know is if a site is vulnerable to XSS but
> doesn't allow any write operation, any postings for
> other users to actualy use the malicious URL, can it
> be used for something else ? The reason i'm asking is
> that the company I work for is vulnerable but doesn't
> allow any kind of user input (basicly it's just
> information site) We have to weight the treath vs
> cost, if nothing can be done with the XSS (no to say
> that they will never allow any user input...) then it
> will have a lower priority in the recommendations and
> if to fix all the web pages cost mucho $$$$ then we
> have to consider that as well.

If your website uses cookies they can be stolen. If these cookies are used in user auth 
(like webmail, wwwboard, voting polls, etc) this poses an obvious problem. 

Rather then *assume* you'll never have any tools like this on your company website and allow
the problem to be forgotten about it would be better to address it now for the following reasons.

1. If someone finds this hole they may publish it to a mailing list or news site. From here
your company will get negative publicity and possibly loose clients. Even if this hole/bug is *useless*
people will see *potential security hole* and question the trust of your company. 

2. Most people won't know what xss is, and most won't bother investigating it. They will only see
*security problem* and decide to use your company based on this. Most also won't want to have to
read a lengthly paper, or deal with tech support to figure out what this means. 

3. Assuming this bug gets known to the public will the cost of fixing it be more or less then you loosing
say 2 percent of your clients due to trust issues?

Just some thoughts



- zeno () cgisecurity com





> Any ideas ?
>
> --- Kevin Spett <kspett () spidynamics com> wrote:
> > We've got an XSS paper that describes a real attack
> > in technical detail.
> > The scenario it uses is a bank login page that uses
> > client-supplied data for
> > a login-failed error message.
> >
> > http://www.spidynamics.com/mktg/xss
> >
> >
> > I hope it helps.
> >
> >
> >
> > Kevin Spett
> > SPI Labs
> > http://www.spidynamics.com/
> >
> > ----- Original Message -----
> > From: "John Madden" <chiwawa999 () yahoo com>
> > To: <webappsec () securityfocus com>
> > Sent: Tuesday, December 10, 2002 9:38 AM
> > Subject: XSS
> >
> >
> > > Hello all,
> > >
> > > Being new to XSS and seing alot of messages in the
> > > last couple weeks on the subject got me
> > wondering...
> > > What is the real vulnerability if the site in
> > > questions is vulnerable to XSS but does not let
> > you
> > > write any malicious scripts on the system, like
> > > message board, forums etc... ? Can anything be
> > done to
> > > exploit XSS if the above scenario occurs ? I know
> > it
> > > depends on the web server, packages installed
> > etc...
> > > I'm asking in generaly is it possible ?
> > >
> > > You can do the document.cookie and view your
> > > cookie, that migth give a hint on the structure
> > but...
> > > or redirect yourself to another web site :) etc...
> > >
> > > I've read the document on XSS by David Endler
> > > http://www.idefense.com/papers.html but still have
> > > some questions.
> > >
> > > If possible, can the XSS guru's on the list shed
> > some
> > > light on the subject.
> > >
> > > Thanks for your time,
> > >
> > > Cheers
> > >
> > >
> > > __________________________________________________
> > > Do you Yahoo!?
> > > Yahoo! Mail Plus - Powerful. Affordable. Sign up
> > now.
> > > http://mailplus.yahoo.com
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com