Re: XSS

["Kevin Spett" <kspett () spidynamics com>]

Fake defacement, if nothing else... Let's say that the affected URL looks
like this:

http://www.vulnerablesite.com/script.jsp?VulnParam=InjectedStuff

And I posted this to a bulletin board, or spammed email around:

http://www.vulnerablesite.com/script.jsp?VulnParam=%3C%66%6F%6E%74%20%3C%68%
74%74%70%3A%2F%2F%77%77%77%2E%76%75%6C%6E%65%72%61%62%6C%65%73%69%74%65%2E%6
3%6F%6D%2F%73%63%72%69%70%74%2E%6A%73%70%3F%56%75%6C%6E%50%61%72%61%6D%3D%3C
%66%6F%6E%74%3E%20%73%69%7A%65%3D%31%30%30%30%30%3E%4F%55%52%20%43%4F%4D%50%
41%4E%59%20%50%52%4F%55%44%4C%59%20%53%55%50%50%4F%52%54%53%20%54%48%45%20%4
1%4C%20%51%55%41%45%44%41%20%4F%52%47%41%4E%49%5A%41%54%49%4F%4E%27%53%20%57
%41%52%20%41%47%41%49%4E%53%54%20%41%4D%45%52%49%43%41%3C%2F%66%6F%6E%74%3E%
D%A

Well, how would that seem?



Kevin Spett
SPI Labs
http://www.spidynamics.com/

----- Original Message -----
From: "John Madden" <chiwawa999 () yahoo com>
To: <webappsec () securityfocus com>
Sent: Tuesday, December 10, 2002 11:35 AM
Subject: Re: XSS


> Hi All,
>
> Thanks to everyone for their responses.
>
> Maybe i did not express myself well enough. What I
> wanted to know is if a site is vulnerable to XSS but
> doesn't allow any write operation, any postings for
> other users to actualy use the malicious URL, can it
> be used for something else ? The reason i'm asking is
> that the company I work for is vulnerable but doesn't
> allow any kind of user input (basicly it's just
> information site) We have to weight the treath vs
> cost, if nothing can be done with the XSS (no to say
> that they will never allow any user input...) then it
> will have a lower priority in the recommendations and
> if to fix all the web pages cost mucho $$$$ then we
> have to consider that as well.
>
> Any ideas ?
>
> --- Kevin Spett <kspett () spidynamics com> wrote:
> > We've got an XSS paper that describes a real attack
> > in technical detail.
> > The scenario it uses is a bank login page that uses
> > client-supplied data for
> > a login-failed error message.
> >
> > http://www.spidynamics.com/mktg/xss
> >
> >
> > I hope it helps.
> >
> >
> >
> > Kevin Spett
> > SPI Labs
> > http://www.spidynamics.com/
> >
> > ----- Original Message -----
> > From: "John Madden" <chiwawa999 () yahoo com>
> > To: <webappsec () securityfocus com>
> > Sent: Tuesday, December 10, 2002 9:38 AM
> > Subject: XSS
> >
> >
> > > Hello all,
> > >
> > > Being new to XSS and seing alot of messages in the
> > > last couple weeks on the subject got me
> > wondering...
> > > What is the real vulnerability if the site in
> > > questions is vulnerable to XSS but does not let
> > you
> > > write any malicious scripts on the system, like
> > > message board, forums etc... ? Can anything be
> > done to
> > > exploit XSS if the above scenario occurs ? I know
> > it
> > > depends on the web server, packages installed
> > etc...
> > > I'm asking in generaly is it possible ?
> > >
> > > You can do the document.cookie and view your
> > > cookie, that migth give a hint on the structure
> > but...
> > > or redirect yourself to another web site :) etc...
> > >
> > > I've read the document on XSS by David Endler
> > > http://www.idefense.com/papers.html but still have
> > > some questions.
> > >
> > > If possible, can the XSS guru's on the list shed
> > some
> > > light on the subject.
> > >
> > > Thanks for your time,
> > >
> > > Cheers
> > >
> > >
> > > __________________________________________________
> > > Do you Yahoo!?
> > > Yahoo! Mail Plus - Powerful. Affordable. Sign up
> > now.
> > > http://mailplus.yahoo.com
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com