('binary' encoding is not supported, stored as-is) >Ok, so I am a little confused. My understanding of CSS is that an >attacker is trying to reach a victim through a 3rd party website. >For instance, I post a message to a message board that contains >javascript, and it runs on a victim's machine, who viewed that >message. > >The reason I am confused is that, all of your supposed CSS vulns are >directed at search scripts. Do the queries you are entering get >stored on the website, for later viewing by OTHER users? It doesn't >seem likely. The only person you could exploit would be, well, >yourself. > >Maybe I have completely missed the boat on this one, and if so, >please explain how I could attack someone ELSE with these... Ah, Good Question. I wouldn't have posted it if it couldn't be utilized in such a way. You can exploit these types of CSS vulns by causing your victim to process a specially formatted url that is from the trusted source(with your code in it). This is somewhat similar to the concept that many virus writers have used to spread their payload via e-Mail file attachments(relying on the fact that most people are stupid enough to open them). Of course, you will need to make sure that GET is supported as the HTTP method for the 3rd party site(usually is). Message board CSS vulns are kinda obvious. These types take a little more thought and are also harder to detect because of the fact that there is no evidence(as would be on a message board). However, you might be able to catch this by analyzing your logs. Its really much easier to use proper coding techniques and not have to worry about lame bugs like this. Hope it helps. 'phine ------------------------------------------------------------ This email was sent through the free email service at http://www.anonymous.to/ To report abuse, please visit our website and click 'Contact Us.'
This archive was generated by hypermail 2b30 : Tue Jan 29 2002 - 15:02:15 PST