Re: XSS

[Matthew Miller <mmiller () atstake com>]

Ed,

Comments inline....

On Wednesday, December 11, 2002, at 03:15 PM, Ed Tracy @ Aspect 
Security wrote:

> John,
>
>   I don't think the other posts have directly answered your question.  
> I
> will try:
>
>   In order for a site to be susceptible to XSS attacks, the site needs 
> to
> accept user input and repost that user input.  This would allow for the
> two ingredients of XSS: 1. Receiving malicious code from an attacker. 
> 2.
> Delivering that malicious code to a valid user.  Accordingly, the 
> answer
> is NO.  Your site should be safe from XSS.

If there is no persistent data this is true...keep in mind your 
application may be safe, but the components on which you host it may be 
vulnerable.
>   However, if your site has any content-altering vulnerabilities (would
> suffice ingredient 1 above), an XSS-like URL can be implanted in the
> content.  This may be what Matt was referring to when he said any user
> input makes a site vulnerable.  Though I think this wouldn't be called
> XSS.

This is basically what I am trying to describe with persistent XSS.

>   Academic detail:
>   I think we have hit on few different types off XSS.  Now, Matt, what
> exactly do you mean by persistent vs. transactional?  I have some
> guesses, but can you give some examples that show the two types you are
> pointing out?  Other than a chat-room scenario, how do you get 
> malicious
> code from the attack to a valid user without storing it?

Examples of transaction based cross-site scripting include, area tags, 
a form on another site, redirects from another site (meta tags, 
script), html based email, malicious applications,  etc... All of the 
above require user action; clicking on a link, submitting a form, 
visiting a malicious site. opening an email, executing an application.

Examples of persistent data stores would be databases (e.g. 3 tier web 
app), files in which data is stored (e.g. webmail), other sites the 
application receives data from (e.g. newsfeeds), in memory (e.g. 
web-based chat server), client side data stores (e.g. cookies), 
etc...All of the above do not require user action, all the user has to 
do is visit the vulnerable site.

Just a note, but XSS does not always have to be script code....HTML 
injection may be a better term, but XSS seems to have caught on.

mm


> -Ed
>
> > Hi All,
> >
> > Thanks to everyone for their responses.
> >
> > Maybe i did not express myself well enough. What I
> > wanted to know is if a site is vulnerable to XSS but
> > doesn't allow any write operation, any postings for
> > other users to actualy use the malicious URL, can it
> > be used for something else ? The reason i'm asking is
> > that the company I work for is vulnerable but doesn't
> > allow any kind of user input (basicly it's just
> > information site) We have to weight the treath vs
> > cost, if nothing can be done with the XSS (no to say
> > that they will never allow any user input...) then it
> > will have a lower priority in the recommendations and
> > if to fix all the web pages cost mucho $$$$ then we
> > have to consider that as well.
> >
> > Any ideas ?
> >
> > --- Kevin Spett <kspett () spidynamics com> wrote:
> > > We've got an XSS paper that describes a real attack
> > > in technical detail.
> > > The scenario it uses is a bank login page that uses
> > > client-supplied data for
> > > a login-failed error message.
> > >
> > > http://www.spidynamics.com/mktg/xss
> > >
> > >
> > > I hope it helps.
> > >
> > >
> > >
> > > Kevin Spett
> > > SPI Labs
> > > http://www.spidynamics.com/
> > >
> > > ----- Original Message -----
> > > From: "John Madden" <chiwawa999 () yahoo com>
> > > To: <webappsec () securityfocus com>
> > > Sent: Tuesday, December 10, 2002 9:38 AM
> > > Subject: XSS
> > >
> > >
> > > > Hello all,
> > > >
> > > > Being new to XSS and seing alot of messages in the
> > > > last couple weeks on the subject got me
> > > wondering...
> > > > What is the real vulnerability if the site in
> > > > questions is vulnerable to XSS but does not let
> > > you
> > > > write any malicious scripts on the system, like
> > > > message board, forums etc... ? Can anything be
> > > done to
> > > > exploit XSS if the above scenario occurs ? I know
> > > it
> > > > depends on the web server, packages installed
> > > etc...
> > > > I'm asking in generaly is it possible ?
> > > >
> > > > You can do the document.cookie and view your
> > > > cookie, that migth give a hint on the structure
> > > but...
> > > > or redirect yourself to another web site :) etc...
> > > >
> > > > I've read the document on XSS by David Endler
> > > > http://www.idefense.com/papers.html but still have
> > > > some questions.
> > > >
> > > > If possible, can the XSS guru's on the list shed
> > > some
> > > > light on the subject.
> > > >
> > > > Thanks for your time,
> > > >
> > > > Cheers
> > > >
> > > >
> > > > __________________________________________________
> > > > Do you Yahoo!?
> > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up
> > > now.
> > > > http://mailplus.yahoo.com
> >
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> > http://mailplus.yahoo.com
>
>
> ************************************************
> ed.tracy () aspectsecurity com
>
> Security Engineer,
> Aspect Security, Inc.
> www.aspectsecurity.com
> 9175 Guilford Rd, Ste 300
> Columbia, MD  21046
>
> Securing the Last Mile of the Internet
>
> Cell: 443.745.6270
> Offc: 301.604.4882
> Fax : 781.240.7886
> ************************************************