WebApp Sec mailing list archives

Re: Advanced XSS paper and semi-new attack

From: Härnhammar, Ulf <Ulf.Harnhammar.9485 () student uu se>
Date: Mon, 20 Oct 2003 12:50:58 +0200

That's an interesting paper! Some points I thought about while reading it:

* Many environments (PHP, Perl+CGI.pm) accept both POSTed and GETted data. At 
least in some circumstances, they just put it in a structure for incoming data 
without much regard for what HTTP method was used.

* Several HTML constructs (<img>, <frame>, <iframe>..) will make the web 
browser start fetching a URL as soon as the web browser sees it, without asking 
the user first. In environments where there is either an XSS problem or an HTML 
filter that allows these constructs, they can be used for either:

a) performing actions in a web application under other people's names. For 
example, <img src="password-change.php?new=client&amp;again=client">

b) using someone else as a proxy for cracking into some server. For example, 
<frame 
src="ftp://ftp.vulnerable.org/AAAAAAAAAAAAAAAAAAAAAbufferoverflowfromhellAAA";>

* An additional difficulty is that web browsers accept redirects for images, so 
someone could include an image ostensibly pointing to a PNG image on their 
server but which immediately redirects to a mail sending script at your server.

* This evil redirect problem isn't just related to XSS and such things. It can 
also be used together with social engineering. If people see an interesting 
link and click it, they don't expect the link to redirect back to the web 
application that they're logged in to and do nasty things there, but it can 
happen.

(I'm not sure if this information was new or not, just some stuff I've had 
lying around in my notebooks for months without writing it up.)

-- 
Ulf Härnhammar, student, Uppsala Universitet

"My ideas / often hit / platform six at London Bridge / took a train /
 thought of you / only until Waterloo"
-- Vic Twenty, "Kiss You"

På spaning efter den webbransch som flytt
 http://home.student.uu.se/ulha9485/text/webbransch.html

kses - PHP HTML/XHTML filter
 http://sourceforge.net/projects/kses

Current thread:

Advanced XSS paper and semi-new attack Gavin Zuchlinski (Oct 18)
- <Possible follow-ups>
- Re: Advanced XSS paper and semi-new attack Härnhammar , Ulf (Oct 20)
- Re: Advanced XSS paper and semi-new attack Härnhammar , Ulf (Oct 20)