WebApp Sec mailing list archives
Re: XSS
From: "Ed Tracy @ Aspect Security" <ed.tracy () aspectsecurity com>
Date: Wed, 11 Dec 2002 15:15:50 -0500 (EST)
John, I don't think the other posts have directly answered your question. I will try: In order for a site to be susceptible to XSS attacks, the site needs to accept user input and repost that user input. This would allow for the two ingredients of XSS: 1. Receiving malicious code from an attacker. 2. Delivering that malicious code to a valid user. Accordingly, the answer is NO. Your site should be safe from XSS. However, if your site has any content-altering vulnerabilities (would suffice ingredient 1 above), an XSS-like URL can be implanted in the content. This may be what Matt was referring to when he said any user input makes a site vulnerable. Though I think this wouldn't be called XSS. Academic detail: I think we have hit on few different types off XSS. Now, Matt, what exactly do you mean by persistent vs. transactional? I have some guesses, but can you give some examples that show the two types you are pointing out? Other than a chat-room scenario, how do you get malicious code from the attack to a valid user without storing it? -Ed
Hi All, Thanks to everyone for their responses. Maybe i did not express myself well enough. What I wanted to know is if a site is vulnerable to XSS but doesn't allow any write operation, any postings for other users to actualy use the malicious URL, can it be used for something else ? The reason i'm asking is that the company I work for is vulnerable but doesn't allow any kind of user input (basicly it's just information site) We have to weight the treath vs cost, if nothing can be done with the XSS (no to say that they will never allow any user input...) then it will have a lower priority in the recommendations and if to fix all the web pages cost mucho $$$$ then we have to consider that as well. Any ideas ? --- Kevin Spett <kspett () spidynamics com> wrote:We've got an XSS paper that describes a real attack in technical detail. The scenario it uses is a bank login page that uses client-supplied data for a login-failed error message. http://www.spidynamics.com/mktg/xss I hope it helps. Kevin Spett SPI Labs http://www.spidynamics.com/ ----- Original Message ----- From: "John Madden" <chiwawa999 () yahoo com> To: <webappsec () securityfocus com> Sent: Tuesday, December 10, 2002 9:38 AM Subject: XSSHello all, Being new to XSS and seing alot of messages in the last couple weeks on the subject got mewondering...What is the real vulnerability if the site in questions is vulnerable to XSS but does not letyouwrite any malicious scripts on the system, like message board, forums etc... ? Can anything bedone toexploit XSS if the above scenario occurs ? I knowitdepends on the web server, packages installedetc...I'm asking in generaly is it possible ? You can do the document.cookie and view your cookie, that migth give a hint on the structurebut...or redirect yourself to another web site :) etc... I've read the document on XSS by David Endler http://www.idefense.com/papers.html but still have some questions. If possible, can the XSS guru's on the list shedsomelight on the subject. Thanks for your time, Cheers __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign upnow.http://mailplus.yahoo.com__________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
************************************************ ed.tracy () aspectsecurity com Security Engineer, Aspect Security, Inc. www.aspectsecurity.com 9175 Guilford Rd, Ste 300 Columbia, MD 21046 Securing the Last Mile of the Internet Cell: 443.745.6270 Offc: 301.604.4882 Fax : 781.240.7886 ************************************************