WebApp Sec mailing list archives
Re: myspace hack
From: Tom Gallagher <tom () SecurityBugHunter com>
Date: Fri, 14 Oct 2005 22:31:43 -0400
I talk with people about this issue often. I've heard people call it many names
- one is Same Site Scripting. When this name is used, there is often a misunderstanding by people unfamiliar with the name. The problem stems from people having different ideas of what a site is. Some people think of a web site a fully qualified domain name and all directories in it. However, other people treat different URLs under the same domain as different sites. For example: www.example.com/user1 and www.example.com/user2 are different sites. I personally like to use Same Domain Scripting. The reason is when we look at browser/web client bugs, we often talk about cross domain access. This issue doesn't allow for cross domain access, but instead access within the same domain through script. These attacks often don't require XMLHttp. Just a thought... Tom Quoting Tim Brown <tmb () 65535 com>:
On Friday 14 Oct 2005 15:29, Reynolds, Jake wrote:I wouldn't consider this an XSS attack. Where in the attack did information cross sites? This seems like it is an embedded XSS attack in that a malicious script was entered into a profile in hopes that victims would view and execute it. However, nothing was sent across sites via the script. The vulnerability was a lack of output validation in my opinion, which is the same vulnerability that an XSS attack would exploit. I don't know how you would classify the attack... Probably "self-replicating session riding". Yeah that has a nice FUD-factor to it.I coined the term Same Site Scripting to describe the act of abusing XMLHttpRequest whilst playing around with this attack vector for a paper I'm writing. Anyone have a better suggestion? Cheers, Tim -- Tim Brown <mailto:tmb () 65535 com>
Current thread:
- Re: myspace hack, (continued)
- Re: myspace hack Chris Varenhorst (Oct 13)
- RE: myspace hack Griffiths, Ian (Oct 13)
- Re: myspace hack rSYN (Oct 13)
- RE: myspace hack Reynolds, Jake (Oct 14)
- Re: myspace hack Stephen de Vries (Oct 14)
- RE: myspace hack Radoslav Vasilev (Oct 14)
- RE: myspace hack Andrew Chong (Oct 14)
- Re: myspace hack Stephen de Vries (Oct 14)
- Re: myspace hack Tim Brown (Oct 14)
- Re: myspace hack bugtraq (Oct 14)
- Re: myspace hack Tom Gallagher (Oct 14)
- Re: myspace hack Disco Jonny (Oct 14)
- RE: myspace hack Jeff Robertson (Oct 14)
- RE: myspace hack Richard M. Smith (Oct 14)
- RE: myspace hack Reynolds, Jake (Oct 14)
- RE: myspace hack Jeff Robertson (Oct 14)
- Re: myspace hack bugtraq (Oct 14)
- Re: myspace hack (readable javascript code ) A. Fontes (Oct 14)
- Re: myspace hack (History of XSS) Jeremiah Grossman (Oct 14)
- RE: myspace hack Evans, Arian (Oct 14)