Cross-site scripting vulnerabilities - If you think of more of the name it makes slightly more since. Cross-site scripting is an exploit against the Client that exist on the server (there's tons others so don't classify Cross-Site Scripting as the only one). Basic Details | A remote site or any other remote user that can manipulate the 'target' into viewing a page could be the exploiter. The exploiter's use of a CCS vulnerability is to be able to run code on the victims machine with the privelages of the domain. More Details On That | The exploiter can run scripts or whatever necessary with the privelages of the CCS vulnerable domain. How does this benefit the exploiter? Probally the most noted and popular use is for Cookie Hijacking. Cookies for Hotmail is stored on the msn.com domain (It was moved back from passport.com when the passport issue arose - don't know details on that and that's off topic anyway). Now if the exploiter exploited a cross-site script on MSN.COM (and there is some I've found a few but I'm a dick and don't share, just trust me, all you have to do is look for them and you find them - coders are morons same is for YAHOO.COM and probally many others) to retrieve the cookies and submit them to his own server, he has access to the cookies which means he has access to your session, since probally +95% of popular email services use cookie authentication (and most likely 100% that support HTML mail for security reasons) to verify a log in. Also cookies are popular for Forum verification in message boards. Another thing that is possible for a cookie is not only a session but sometimes a forum or whatever stores the username and password as a cookie. Then of course cookies aren't the only thing to use it for. A target can use it as a social engineering scenario where it prompts the user for something within a trusted domain. Also a rare case (yet possible) scenario would be exploiting a CSS vulnerability on a 'Trusted Domain' where the script could do more privelaged actions like who knows file access or something. That's a CSS in a bottle. I dont know if that was any help but your the judge. -SiLenCe ICQ# : 53229131 E-Mail : acid_rainat_private -----Original Message----- From: tmorgan-securityat_private Date: Tue, 29 Jan 2002 11:30:27 -0800 To: - phinegeek - <phineat_private> Subject: Re: CSS, CSS & let me give you some more CSS > Ok, so I am a little confused. My understanding of CSS is that an > attacker is trying to reach a victim through a 3rd party website. > For instance, I post a message to a message board that contains > javascript, and it runs on a victim's machine, who viewed that > message. > > The reason I am confused is that, all of your supposed CSS vulns are > directed at search scripts. Do the queries you are entering get > stored on the website, for later viewing by OTHER users? It doesn't > seem likely. The only person you could exploit would be, well, > yourself. > > Maybe I have completely missed the boat on this one, and if so, > please explain how I could attack someone ELSE with these... > > Now if you showed me that I could slip SQL into one of these search > boxes, then I would call that a vulnerability... > > tim > > > On Tue, Jan 29, 2002 at 12:31:21AM -0800, - phinegeek - wrote: > > A little while back I posted some info on a CSS bug I found on ebay, > > http://securityfocus.com/archive/82/246275. > > Just about every site(not joking) you go to has this type of vulnerability, its nothing new. Luckily, CSS vulns are very easy to fix, after they are discovered. > > However, you shouldn't have to wait until your site is prefixed with "Cross Site Scripting" on a Bugtraq posting. These types of errors, as well as many other similar(but less threatening) types are the product of careless programming practices. > > All you need is a method(call it SecureHTML()) that you run all your input through, before it gets displayed back to the user. This method would be used throughout your site in a modularized fashion. > > Isn't this how we should be doing it anyway??? > > This simple principle can also be used for input that becomes part of an SQL statement(call it SecureSQL()) to guard against sql injection. > > Just modularize your code folks and make sure all your developers use the methods when dealing with input. > > Its really that simple. > > This is also not new, I guess you could call it prevention? > > > > and heres some fun.. alot of Security issues =] > > > > Security Focus: > > http://securityfocus.com/ > > (copy and paste the text below in the search box just like it is) > > CSS OR "><!-- scripts><!-- ..tsk tsk tsk.. --></scripts -->" > > > > Digital Security: > > http://www.eeye.com/html/forms/recommend.html?u=eeye.com/<!-- scripts>alert('Digital+Security?');</scripts --> > > > > Internet Security: > > http://www.iss.net/search.php?pattern=<!-- scripts>alert('Internet+Security?');</scripts --> > > > > Linux Security: > > http://search.linuxsecurity.com/cgi-bin/htsearch?words="><!-- scripts>alert('Linux+Security?')</scripts --> > > > > Macintosh Security: > > http://www.macintoshsecurity.com/search.php?query="><!-- scripts>alert('Macintosh+Security?')</scripts --> > > > > Social Security??: > > http://www.ssa.gov/online/forms.html > > (copy and paste the text below in the search box just like it is) > > Social Security <!-- scripts>alert('Social Security?');</scripts --> > > > > > > 'phine > > > > p.s. none of the sites above have been notified. > > If I were to tell them, I would feel guilty and have to tell the others I know about(too many), then I would have to quit my night job. > > > > ------------------------------------------------------------ > > This email was sent through the free email service at http://www.anonymous.to/ > > To report abuse, please visit our website and click 'Contact Us.' > -- _______________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup Win a ski trip! http://www.nowcode.com/register.asp?affiliate=1net2phone3a
This archive was generated by hypermail 2b30 : Tue Jan 29 2002 - 17:08:23 PST