WebApp Sec mailing list archives
Re: XSS
From: Matthew Miller <mmiller () atstake com>
Date: Wed, 11 Dec 2002 16:29:31 -0500
Ed, Comments inline....On Wednesday, December 11, 2002, at 03:15 PM, Ed Tracy @ Aspect Security wrote:
John,I don't think the other posts have directly answered your question. Iwill try:In order for a site to be susceptible to XSS attacks, the site needs toaccept user input and repost that user input. This would allow for thetwo ingredients of XSS: 1. Receiving malicious code from an attacker. 2. Delivering that malicious code to a valid user. Accordingly, the answeris NO. Your site should be safe from XSS.
If there is no persistent data this is true...keep in mind your application may be safe, but the components on which you host it may be vulnerable.
However, if your site has any content-altering vulnerabilities (would suffice ingredient 1 above), an XSS-like URL can be implanted in the content. This may be what Matt was referring to when he said any user input makes a site vulnerable. Though I think this wouldn't be called XSS.
This is basically what I am trying to describe with persistent XSS.
Academic detail: I think we have hit on few different types off XSS. Now, Matt, what exactly do you mean by persistent vs. transactional? I have some guesses, but can you give some examples that show the two types you arepointing out? Other than a chat-room scenario, how do you get maliciouscode from the attack to a valid user without storing it?
Examples of transaction based cross-site scripting include, area tags, a form on another site, redirects from another site (meta tags, script), html based email, malicious applications, etc... All of the above require user action; clicking on a link, submitting a form, visiting a malicious site. opening an email, executing an application.
Examples of persistent data stores would be databases (e.g. 3 tier web app), files in which data is stored (e.g. webmail), other sites the application receives data from (e.g. newsfeeds), in memory (e.g. web-based chat server), client side data stores (e.g. cookies), etc...All of the above do not require user action, all the user has to do is visit the vulnerable site.
Just a note, but XSS does not always have to be script code....HTML injection may be a better term, but XSS seems to have caught on.
mm
-EdHi All, Thanks to everyone for their responses. Maybe i did not express myself well enough. What I wanted to know is if a site is vulnerable to XSS but doesn't allow any write operation, any postings for other users to actualy use the malicious URL, can it be used for something else ? The reason i'm asking is that the company I work for is vulnerable but doesn't allow any kind of user input (basicly it's just information site) We have to weight the treath vs cost, if nothing can be done with the XSS (no to say that they will never allow any user input...) then it will have a lower priority in the recommendations and if to fix all the web pages cost mucho $$$$ then we have to consider that as well. Any ideas ? --- Kevin Spett <kspett () spidynamics com> wrote:We've got an XSS paper that describes a real attack in technical detail. The scenario it uses is a bank login page that uses client-supplied data for a login-failed error message. http://www.spidynamics.com/mktg/xss I hope it helps. Kevin Spett SPI Labs http://www.spidynamics.com/ ----- Original Message ----- From: "John Madden" <chiwawa999 () yahoo com> To: <webappsec () securityfocus com> Sent: Tuesday, December 10, 2002 9:38 AM Subject: XSSHello all, Being new to XSS and seing alot of messages in the last couple weeks on the subject got mewondering...What is the real vulnerability if the site in questions is vulnerable to XSS but does not letyouwrite any malicious scripts on the system, like message board, forums etc... ? Can anything bedone toexploit XSS if the above scenario occurs ? I knowitdepends on the web server, packages installedetc...I'm asking in generaly is it possible ? You can do the document.cookie and view your cookie, that migth give a hint on the structurebut...or redirect yourself to another web site :) etc... I've read the document on XSS by David Endler http://www.idefense.com/papers.html but still have some questions. If possible, can the XSS guru's on the list shedsomelight on the subject. Thanks for your time, Cheers __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign upnow.http://mailplus.yahoo.com__________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com************************************************ ed.tracy () aspectsecurity com Security Engineer, Aspect Security, Inc. www.aspectsecurity.com 9175 Guilford Rd, Ste 300 Columbia, MD 21046 Securing the Last Mile of the Internet Cell: 443.745.6270 Offc: 301.604.4882 Fax : 781.240.7886 ************************************************