('binary' encoding is not supported, stored as-is) In-Reply-To: <20020129113027.B10678at_private> >Ok, so I am a little confused. My understanding of >CSS is that an attacker is trying to reach a victim >through a 3rd party website. For instance, I post a >message to a message board that contains >javascript, and it runs on a victim's machine, who >viewed that message. Yes this is one form of webApp attack you are using the CSS attack vector to return user injected script/HTML/PHP back to a page that is viewable by other website visitors...this is one of the more damaging attacks...but isn't all that CSS is limited to >The reason I am confused is that, all of your >supposed CSS vulns are directed at search >scripts. Do the queries you are entering get stored >on the website, for later viewing by OTHER users? >It doesn't seem likely. The only person you could >exploit would be, well, yourself. Search engine inputs are notorious for not sanitizing user input..I believe that is why phine chose to focus them...and yes you do bring up a good point, the website queries could be stored on a website...to be viewed later by someone interested in seeing what people are searching for....company user loads up the admin query page...user injected script is executed, and that website's cookie has now been processed by the attackers "cookie collection PHP script(CCPS) on a remote server. How could this affect John Q. Surfer? well lets say I send him a link with a partial Hex converted URL ex: http://website.com/someform?input=%73%75%70 This could be used in a Social Engineering attack to trick another user to visit this link and have their cookie stolen by the attacker's CCPS...or the attacker could use javascript to manipulate the DOM and act on the users part to do various actions...lets say post a message automatically on a forum. >Maybe I have completely missed the boat on this >one, and if so, please explain how I could attack >someone ELSE with these... No you just didn't see the whole boat through the fog...cheezy I know ;-) >Now if you showed me that I could slip SQL into one >of these search boxes, then I would call that a >vulnerability... that is a whole other story.... reference linx: http://www.cert.org/tech_tips/malicious_code_mitigati on.html http://www.owasp.org/ http://httpd.apache.org/info/css-security/ -Slow2Show- University of Florida Disclaimer: I'm just a stupid college kid!
This archive was generated by hypermail 2b30 : Tue Jan 29 2002 - 15:56:44 PST