WebApp Sec mailing list archives

Re: CSS before redirect

From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: Mon, 8 Sep 2003 09:20:26 -0700

In the course of hunting down cross-site scripting, one is bound to
find what I have loosely referred to as "unusable" XSS (bad name).

As most are familiar, XSS is very browser dependent.

Specifically in this case, your browser is likely not interpreting theHTML on a 302response code. Why would it need to anyway. So, as much as this IS anXSS issue,it poses no risk to the browser you are using. Perhaps another browserwould be.

The standard fix could be suggested just the same however, just in case.

Another "unusable"  example would be HTML returning in unused
response headers.

Hope this helps.




On Monday, September 8, 2003, at 08:32  AM, Stephen de Vries wrote:


Hi all,

I'm looking at an application that seems to be vulnerable to CSSattack,

however, the browser keeps following the redirect before running the
script.  The request:

GET /includes?"></a><script>alert('hello')</script> HTTP/1.1

Results in the following response:

HTTP/1.1 302 Object Moved
Location: https://somwhereelse.com
Server: Microsoft-IIS/4.0
Content-Type: text/html
Content-Length: 123

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a

HREF="https://somewhereelse.com/includes/?";></a><script>alert('hello')</script>">here</a>


The CSS injection looks as though it should work, if the browser just
displayed that page, but instead it acts on the redirect immediately
before displaying the page.  This happens in both Mozilla 1.4 and IE 6.

Do you think this represents a security risk ? Do older browsersbehave

in the same way ?  Is it possible to turn this behaviour off ?  Does
cologne make the man ?


cheers,

Stephen

Jeremiah Grossman
Chief Executive Officer
WhiteHat Security, Inc.
Tel: 408.492.1817

===========================================================
 This message and any files transmitted with it, may
 contain confidential and privileged information. This
 message is intended solely for the use of the individual
 or entity to whom it is addressed. If the message has
 been sent to you in error, please reply to inform the
 sender of the error and then delete this message. You
 are notified that reliance on, disclosure of,
 distribution or copying of this message is prohibited.                 

 WhiteHat Security, Inc.                                
===========================================================

Current thread:

CSS before redirect Stephen de Vries (Sep 08)
- Re: CSS before redirect Jeremiah Grossman (Sep 08)
  - Re: CSS before redirect Marc Slemko (Sep 08)
- RE: CSS before redirect Thomas Schreiber (Sep 09)