WebApp Sec mailing list archives
Re: New Web Vulnerability - Cross-Site Tracing
From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: 22 Jan 2003 14:25:57 -0800
On Wed, 2003-01-22 at 13:31, xss-is-lame () hushmail com wrote:
-----BEGIN PGP SIGNED MESSAGE----- I would like to point out that in order to execute an "XST" attack, you have to be able
to able to get JavaScript/Flash/etc executed on the victim's system as a PREREQUISITE. certainly.
So, to summarize: If you can get arbitrary JavaScript executed on a web client, you can use this attack method to
get arbitrary JavaScript executed on a web client, in a different zone. this is correct. Via a web page, message board, web mail, etc etc etc.
Is this a useful thing to know if you're looking for a way to steal cookies? Sure!
Is this a revolutionary tactic that will allow you to compromise the security of any of the webservers listed in the whitepaper? No. Ok... we are not talk about "rooting" the web server here, but compromising the user credentials client-side. The credentials be it cookies or basic authentication, from a protected domain. You can now XSS any domain from the users browser even if the domain has no web apps at all.
This isn't any different from the many, many, many known ways of violating
someone's HTTP client if you can get them to execute Flash or JavaScript or ActiveX of your choice. I must disagree... this is a much much different way to perform a credential theft. But...for the sake of information, can you provide me a link where they do it in this manner? We've seen dozens of holes in IE's security constraints that allow attackers to view files, steal cookies or execute commands. Unlike Guninski or GreyMagic's advisories, this one has simply been built up to ridiculous proportions with marketting language in the press release and in the ExtremeTech article. Again, not using this method.
Current thread:
- Re: New Web Vulnerability - Cross-Site Tracing xss-is-lame (Jan 22)
- Re: New Web Vulnerability - Cross-Site Tracing Jeremiah Grossman (Jan 22)
- <Possible follow-ups>
- Re: New Web Vulnerability - Cross-Site Tracing xss-is-lame (Jan 22)
- Message not available
- Message not available
- Re: New Web Vulnerability - Cross-Site Tracing Jeremiah Grossman (Jan 22)
- Message not available
- Re: New Web Vulnerability - Cross-Site Tracing xss-is-lame (Jan 23)