WebApp Sec mailing list archives
RE: XSS
From: "David Endler" <dendler () idefense com>
Date: Tue, 10 Dec 2002 13:40:08 -0500
Hi John, I guess what you're asking is if your company has a vulnerable static web site, should you really care? With regard to that web site's data, you're probably safe, unless you're sharing cookies/tokens across multiple domains (e.g. MS passport). I know I'm belaboring the point which has been made in other mailing list posts, but you can do a lot more with XSS beside cookie stealing/account hijacking. XSS attacks can be used to assist in various types of browser exploitation (buffer/heap overflow, browser hijacking, etc.) which can lead to revealing sensitive information/files on the desktop or network file system, denial of service scripting against the user or others, or potentially any code the attacker can get the browser to launch with the privileges of that user. How does this affect your web site data directly? It may not. But vulnerable users (and your clients) are much more likely to click on malicious web or email links with domains they know and trust (e.g. yahoo.com, cnn.com, yourcompany.com, etc.). -dave
-----Original Message----- From: John Madden [mailto:chiwawa999 () yahoo com] Sent: Tuesday, December 10, 2002 11:36 AM To: webappsec () securityfocus com Subject: Re: XSS Hi All, Thanks to everyone for their responses. Maybe i did not express myself well enough. What I wanted to know is if a site is vulnerable to XSS but doesn't allow any write operation, any postings for other users to actualy use the malicious URL, can it be used for something else ? The reason i'm asking is that the company I work for is vulnerable but doesn't allow any kind of user input (basicly it's just information site) We have to weight the treath vs cost, if nothing can be done with the XSS (no to say that they will never allow any user input...) then it will have a lower priority in the recommendations and if to fix all the web pages cost mucho $$$$ then we have to consider that as well. Any ideas ? --- Kevin Spett <kspett () spidynamics com> wrote:We've got an XSS paper that describes a real attack in technical detail. The scenario it uses is a bank login page that uses client-supplied data for a login-failed error message. http://www.spidynamics.com/mktg/xss I hope it helps. Kevin Spett SPI Labs http://www.spidynamics.com/ ----- Original Message ----- From: "John Madden" <chiwawa999 () yahoo com> To: <webappsec () securityfocus com> Sent: Tuesday, December 10, 2002 9:38 AM Subject: XSSHello all, Being new to XSS and seing alot of messages in the last couple weeks on the subject got mewondering...What is the real vulnerability if the site in questions is vulnerable to XSS but does not letyouwrite any malicious scripts on the system, like message board, forums etc... ? Can anything bedone toexploit XSS if the above scenario occurs ? I knowitdepends on the web server, packages installedetc...I'm asking in generaly is it possible ? You can do the document.cookie and view your cookie, that migth give a hint on the structurebut...or redirect yourself to another web site :) etc... I've read the document on XSS by David Endler http://www.idefense.com/papers.html but still have some questions. If possible, can the XSS guru's on the list shedsomelight on the subject. Thanks for your time, Cheers __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign upnow.http://mailplus.yahoo.com__________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com