WebApp Sec mailing list archives

RE: XSS

From: "Eyal Udassin" <eyal () webcohort com>
Date: Tue, 10 Dec 2002 17:23:11 +0200

Hi John,

There are two main issues concerning XSS:

1.
Say you set your browser to fully trust your bank's site and allow it to
run scripts in your browser. On the other hand, you deny that privilege
from the rest of the sites you visit.
If the bank's site is vulnerable to XSS, when you click on the a
malformed URL that was presented to you at hacker.com, you will be
redirected to your banks site (which you previously granted scripting
rights) and the malicious script written by someone at hacker.com will
run.

XSS in that manner is a very good way to run scripts on cautious clients
that allow only very specific sites to send them scripts.

2.
Following the previous example, let's say that you are logging into your
bank account. 
What usually happens is that the server issues you a session cookie
which from now on will identify you as the user you entered in the login
screen.
Clicking on the previously mentioned URL at hacker.com might run a
script that will send your cookie back to the attacker. What happens in
99% of the sites I've tested is that from that point on the attacker can
access your bank account without ever needing your username or password.
The cookie itself is mostly satisfactory.


-----Original Message-----
From: John Madden [mailto:chiwawa999 () yahoo com] 
Sent: Tuesday, December 10, 2002 4:39 PM
To: webappsec () securityfocus com
Subject: XSS


Hello all,

Being new to XSS and seing alot of messages in the
last couple weeks on the subject got me wondering...

What is the real vulnerability if the site in
questions is vulnerable to XSS but does not let you
write any malicious scripts on the system, like
message board, forums etc... ? Can anything be done to
exploit XSS if the above scenario occurs ? I know it
depends on the web server, packages installed etc...
I'm asking in generaly is it possible ?

You can do the document.cookie and view your
cookie, that migth give a hint on the structure but...
or redirect yourself to another web site :) etc...

I've read the document on XSS by David Endler
http://www.idefense.com/papers.html but still have some questions.
 
If possible, can the XSS guru's on the list shed some
light on the subject.

Thanks for your time,

Cheers


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Current thread:

XSS John Madden (Dec 10)
- RE: XSS Eyal Udassin (Dec 10)
- Re: XSS Kevin Spett (Dec 10)
  - Re: XSS John Madden (Dec 10)
    - Re: XSS Kevin Spett (Dec 10)
    - Re: XSS Stephen de Vries (Dec 11)
    - Re: XSS Matthew Miller (Dec 11)
    - Re: XSS Jeff Williams @ Aspect (Dec 11)
    - Re: XSS Sverre H. Huseby (Dec 19)
    - Re: XSS Ed Tracy @ Aspect Security (Dec 11)
    - Re: XSS Matthew Miller (Dec 11)
    - Re: XSS HarryM (Dec 15)

(Thread continues...)