Re: XSS

[zeno <bugtraq () cgisecurity net>]

> Hey zeno, and others...

Hi! :p


> In this particular instance this scenario may work.
>
> The vuln site is widgets.com and has a xxs flaw.
>
> I run a news story on my site saying widgets.com is going out of business
> because of '.......' and give a link to widgets.com/<xss stuff>, people
> clicking on the link will be taken to widgets.com and shown an iframe with
> the fake new story. This will appear as if it is actually on widgets.com and
> thus believable.


Yup that to. I did this once on perl.com with a xss in the search engine. Made a fake story
make it into a image and hex encoded the url and sent it to the lists. It even managed to fool
a staff member for a little bit.

This was the fake story I posted to the security lists as real.
http://www.cgisecurity.com/time.jpg

- zeno



> Another use of xss which I have not seen mentioned is.
>
> If the page that has xss holes, also displays information such as passwords,
> then the XSS can be used to grep the info from the page and send it back out
> to the net.
>
> Brett
>
> > -----Original Message-----
> > From: zeno [mailto:bugtraq () cgisecurity net]
> > Sent: Wednesday, 11 December 2002 07:36
> > To: John Madden
> > Cc: webappsec () securityfocus com
> > Subject: Re: XSS
> >
> >
> > > Hi All,
> > >
> > > Thanks to everyone for their responses.
> > >
> > > Maybe i did not express myself well enough. What I
> > > wanted to know is if a site is vulnerable to XSS but
> > > doesn't allow any write operation, any postings for
> > > other users to actualy use the malicious URL, can it
> > > be used for something else ? The reason i'm asking is
> > > that the company I work for is vulnerable but doesn't
> > > allow any kind of user input (basicly it's just
> > > information site) We have to weight the treath vs
> > > cost, if nothing can be done with the XSS (no to say
> > > that they will never allow any user input...) then it
> > > will have a lower priority in the recommendations and
> > > if to fix all the web pages cost mucho $$$$ then we
> > > have to consider that as well.
> >
> > If your website uses cookies they can be stolen. If these cookies
> > are used in user auth
> > (like webmail, wwwboard, voting polls, etc) this poses an obvious
> > problem.
> >
> > Rather then *assume* you'll never have any tools like this on
> > your company website and allow
> > the problem to be forgotten about it would be better to address
> > it now for the following reasons.
> >
> > 1. If someone finds this hole they may publish it to a mailing
> > list or news site. From here
> > your company will get negative publicity and possibly loose
> > clients. Even if this hole/bug is *useless*
> > people will see *potential security hole* and question the trust
> > of your company.
> >
> > 2. Most people won't know what xss is, and most won't bother
> > investigating it. They will only see
> > *security problem* and decide to use your company based on this.
> > Most also won't want to have to
> > read a lengthly paper, or deal with tech support to figure out
> > what this means.
> >
> > 3. Assuming this bug gets known to the public will the cost of
> > fixing it be more or less then you loosing
> > say 2 percent of your clients due to trust issues?
> >
> > Just some thoughts
> >
> >
> >
> > - zeno () cgisecurity com
> >
> >
> >
> >
> >
> > > Any ideas ?
> > >
> > > --- Kevin Spett <kspett () spidynamics com> wrote:
> > > > We've got an XSS paper that describes a real attack
> > > > in technical detail.
> > > > The scenario it uses is a bank login page that uses
> > > > client-supplied data for
> > > > a login-failed error message.
> > > >
> > > > http://www.spidynamics.com/mktg/xss
> > > >
> > > >
> > > > I hope it helps.
> > > >
> > > >
> > > >
> > > > Kevin Spett
> > > > SPI Labs
> > > > http://www.spidynamics.com/
> > > >
> > > > ----- Original Message -----
> > > > From: "John Madden" <chiwawa999 () yahoo com>
> > > > To: <webappsec () securityfocus com>
> > > > Sent: Tuesday, December 10, 2002 9:38 AM
> > > > Subject: XSS
> > > >
> > > >
> > > > > Hello all,
> > > > >
> > > > > Being new to XSS and seing alot of messages in the
> > > > > last couple weeks on the subject got me
> > > > wondering...
> > > > > What is the real vulnerability if the site in
> > > > > questions is vulnerable to XSS but does not let
> > > > you
> > > > > write any malicious scripts on the system, like
> > > > > message board, forums etc... ? Can anything be
> > > > done to
> > > > > exploit XSS if the above scenario occurs ? I know
> > > > it
> > > > > depends on the web server, packages installed
> > > > etc...
> > > > > I'm asking in generaly is it possible ?
> > > > >
> > > > > You can do the document.cookie and view your
> > > > > cookie, that migth give a hint on the structure
> > > > but...
> > > > > or redirect yourself to another web site :) etc...
> > > > >
> > > > > I've read the document on XSS by David Endler
> > > > > http://www.idefense.com/papers.html but still have
> > > > > some questions.
> > > > >
> > > > > If possible, can the XSS guru's on the list shed
> > > > some
> > > > > light on the subject.
> > > > >
> > > > > Thanks for your time,
> > > > >
> > > > > Cheers
> > > > >
> > > > >
> > > > > __________________________________________________
> > > > > Do you Yahoo!?
> > > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up
> > > > now.
> > > > > http://mailplus.yahoo.com
> > >
> > >
> > > __________________________________________________
> > > Do you Yahoo!?
> > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> > > http://mailplus.yahoo.com