WebApp Sec mailing list archives

Re: XSS

From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Wed, 11 Dec 2002 10:57:47 -0500

Matt is exactly right here. Even web sites with no storage can be
susceptible to really serious XSS attacks.  These attacks are simply
reflected off a vulnerable server.  We've been calling these 'external
XSS' attacks -- because the attack is never stored on the vulnerable web
server.

Can anyone think of any differences between 'persistent' and 'external'
XSS attacks in terms of the damage they can cause?  They are definitely
different in terms of the difficulty of launching the attack (external XSS
may even be easier!) -- but the consequences are the same right?  If
that's true then 'external XSS' would represent a more serious risk than
the persistent variety.

--Jeff

Jeff Williams
jeff.williams () aspectsecurity com
Aspect Security, Inc.
www.aspectsecurity.com


----- Original Message -----
From: Matthew Miller
To: John Madden
Cc: webappsec () securityfocus com
Sent: Wednesday, December 11, 2002 8:03 AM
Subject: Re: XSS


John-

Two things....

First, there are really two types of XSS.  Persistent, where the
injected code is stored within the web application, such as in
distribution lists, databases, etc..., Transaction based, requiring a
user to perform an action in order to be affected, such as click on a
link, view a page with malicious script in it, etc...  Therefore, any
site that is accepting any form of user input is potentially
vulnerable...though the risk of persistent XSS exceeds the risk of
transaction based XSS in most cases.

Second, XSS is not only used to grab a users session ID.  An attacker
could inject code into the page to redirect the user or modify
presentation of content.  Imagine an corporate site where you could
add/modify a press release or news items, could you impact the
companies stock price or lessen consumer confidence?  Imagine a
pharmaceutical site where you could modify dosage for medication, could
you get someone to overdose?

mm
--
Matthew P. Miller
www.atstake.com

On Tuesday, December 10, 2002, at 11:35 AM, John Madden wrote:

Hi All,

Thanks to everyone for their responses.

Maybe i did not express myself well enough. What I
wanted to know is if a site is vulnerable to XSS but
doesn't allow any write operation, any postings for
other users to actualy use the malicious URL, can it
be used for something else ? The reason i'm asking is
that the company I work for is vulnerable but doesn't
allow any kind of user input (basicly it's just
information site) We have to weight the treath vs
cost, if nothing can be done with the XSS (no to say
that they will never allow any user input...) then it
will have a lower priority in the recommendations and
if to fix all the web pages cost mucho $$$$ then we
have to consider that as well.

Any ideas ?

--- Kevin Spett <kspett () spidynamics com> wrote:

We've got an XSS paper that describes a real attack
in technical detail.
The scenario it uses is a bank login page that uses
client-supplied data for
a login-failed error message.

http://www.spidynamics.com/mktg/xss


I hope it helps.



Kevin Spett
SPI Labs
http://www.spidynamics.com/

----- Original Message -----
From: "John Madden" <chiwawa999 () yahoo com>
To: <webappsec () securityfocus com>
Sent: Tuesday, December 10, 2002 9:38 AM
Subject: XSS

Hello all,

Being new to XSS and seing alot of messages in the
last couple weeks on the subject got me

wondering...


What is the real vulnerability if the site in
questions is vulnerable to XSS but does not let

you

write any malicious scripts on the system, like
message board, forums etc... ? Can anything be

done to

exploit XSS if the above scenario occurs ? I know

it

depends on the web server, packages installed

etc...

I'm asking in generaly is it possible ?

You can do the document.cookie and view your
cookie, that migth give a hint on the structure

but...

or redirect yourself to another web site :) etc...

I've read the document on XSS by David Endler
http://www.idefense.com/papers.html but still have
some questions.

If possible, can the XSS guru's on the list shed

some

light on the subject.

Thanks for your time,

Cheers


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up

now.

http://mailplus.yahoo.com



__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Current thread:

XSS John Madden (Dec 10)
- RE: XSS Eyal Udassin (Dec 10)
- Re: XSS Kevin Spett (Dec 10)
  - Re: XSS John Madden (Dec 10)
    - Re: XSS Kevin Spett (Dec 10)
    - Re: XSS Stephen de Vries (Dec 11)
    - Re: XSS Matthew Miller (Dec 11)
    - Re: XSS Jeff Williams @ Aspect (Dec 11)
    - Re: XSS Sverre H. Huseby (Dec 19)
    - Re: XSS Ed Tracy @ Aspect Security (Dec 11)
    - Re: XSS Matthew Miller (Dec 11)
    - Re: XSS HarryM (Dec 15)
- <Possible follow-ups>
- Re: XSS zeno (Dec 10)
- RE: XSS Ernesto Funes (Dec 10)
- Re: XSS zeno (Dec 10)
  - RE: XSS Brett Moore (Dec 10)
    - Re: XSS zeno (Dec 10)
- RE: XSS David Endler (Dec 10)

(Thread continues...)