Wednesday, May 01, 2002 The following represents a classic [fitting] working example of the dangers of Cross Site Scripting. [see: http://www.cert.org/advisories/CA-2000-02.html http://www.cert.org/archive/pdf/cross_site_scripting.pdf] Gibson Research Corporation http://www.grc.com is an interesting site covering a wide variety of security topics for newcomers. Cursory research suggests that it enjoys a substantial loyal following who trust it implicitly. The problem is two-fold: 1. The site has a web based discussion forum 2. The site has a custom 'filter', the so-called: "Gibson Research Corporation's IIS Advanced Prophylactic Filter" This custom 'filter' is supposed to protect the server from 'malicious abuse' and both 'detect and block' invalid requests submitted to the server: http://www.grc.com/apf/ [screen shot: http://www.malware.com/flitty.png 25KB] Unfortunately, what it actually does is allow us to inject our own html code through grc.com's secured server. This is particularly ticklish as it does not take much to conjure up a scenario where we construct a 'fake' e-commerce page, say peddling a book or 'gadget' download and simply invite the loyal following to go and submit their credit card details to our custom form. The site grc.com well known and trusted. The page is on a secured server with valid certificates. Ripe For Picking™ Crude Working example: note: custom crafted for Internet Explorer 5.5 and 6 http://www.malware.com/grc.html [screen shot: http://www.malware.com/lucre.png 11KB] Notes: 1. Watch where you "point and click". It's all smoke and mirrors out there. 2. 3 mail messages within 72 hours to support @ grc.com remain unanswered to date. End Call -- http://www.malware.com
This archive was generated by hypermail 2b30 : Wed May 01 2002 - 17:11:51 PDT