Re: CSS, CSS & let me give you some more CSS

From: M. Burnett (mbat_private)
Date: Thu Jan 31 2002 - 09:06:05 PST

Next message: Frog Frog: "Re: Big Security Holes in Portix-PHP Portal"

Previous message: ladd harris: "Re: buffer overflow on whois (redhat linux 7.0/7.1 on i686)"
In reply to: Frog Frog: "Re: CSS, CSS & let me give you some more CSS"
Next in thread: Joe Harrison: "RE: CSS, CSS & let me give you some more CSS"
Next in thread: Slow2Show: "Re: CSS, CSS & let me give you some more CSS"
Reply: Joe Harrison: "RE: CSS, CSS & let me give you some more CSS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In the process of translating this French tutorial into English using 
babelfish.altavista.com, I noticed that it converted the encoded 
characters in the document.  Which brings up another potential source 
of cross-site scripting attacks via translation and other online 
tools.  Using a variety of techniques, one could formulate a URL that 
appears to be coming from altavista.com but in fact is loading a page 
loaded with nefarious code from any site.  Similar vulnerabilities 
could potentially be found in sites such as HTML validation utilities 
or broken link checkers.  

I also found several domain name registrars that had whois lookups 
that were vulnerable to cross-site scripting.  These in particular 
could be serious vulnerabilities as some of these registrars allow 
login via cookies.  By sending a properly crafted URL to the right 
person, one could potentially hijack another's domain.

Mark Burnett
www.xato.net



On Tue, 29 Jan 2002 23:25:52 +0100, Frog Frog wrote:
>Nice... I just want to say that there is a tutoriel in french about
>cross  site scripting : http://balteam.multimania.com/Tuts/css.txt .
>If you have additions or advices, please send them to me...  Thx :)
>
>>From: "- phinegeek -" <phineat_private> To: vuln
>>-devat_private Subject: CSS, CSS & let me give you some
>>more CSS Date: Tue, 29 Jan 2002 00:31:21 -0800
>>
>>A little while back I posted some info on a CSS bug I found on
>>ebay, http://securityfocus.com/archive/82/246275.
>>Just about every site(not joking) you go to has this type of
>>vulnerability,  its nothing new. Luckily, CSS vulns are very easy
>>to fix, after they are  discovered.
>>However, you shouldn't have to wait until your site is prefixed
>>with "Cross  Site Scripting" on a Bugtraq posting. These types of
>>errors, as well as  many other similar(but less threatening) types
>>are the product of careless  programming practices.
>>All you need is a method(call it SecureHTML()) that you run all
>>your input  through, before it gets displayed back to the user.
>>This method would be  used throughout your site in a modularized
>>fashion.
>>Isn't this how we should be doing it anyway???
>>This simple principle can also be used for input that becomes part
>>of an  SQL statement(call it SecureSQL()) to guard against sql
>>injection.
>>Just modularize your code folks and make sure all your developers
>>use the  methods when dealing with input.
>>Its really that simple.
>>This is also not new, I guess you could call it prevention?
>>
>>and heres some fun.. alot of Security issues =]
>>
>>Security Focus: http://securityfocus.com/ (copy and paste the text
>>below in the search box just like it is)
>>CSS OR "><SCRIPT><!-- ..tsk tsk tsk.. --></SCRIPT>"
>>
>>Digital Security:
>>http://www.eeye.com/html/forms/recommend.html?u=eeye.com/>;al
e

>>rt('Digital+Security?');</SCRIPT>
>>
>>Internet Security:
>>http://www.iss.net/search.php?pattern=>alert('Internet+Securi

>>ty?');</script>
>>
>>Linux Security: http://search.linuxsecurity.com/cgi-
>>bin/htsearch?words="><script>alert('Linux+Security?')</script>
>>
>>Macintosh Security:
>>http://www.macintoshsecurity.com/search.php?query="><SCRIPT&#62;aler
t('M

>>acintosh+Security?')</SCRIPT>
>>
>>Social Security??: http://www.ssa.gov/online/forms.html (copy and
>>paste the text below in the search box just like it is)
>>Social Security <SCRIPT>alert('Social Security?');</SCRIPT>
>>
>>
>>'phine
>>
>>p.s. none of the sites above have been notified.
>>If I were to tell them, I would feel guilty and have to tell the
>>others I  know about(too many), then I would have to quit my night
>>job.
>>
>>------------------------------------------------------------
>>This email was sent through the free email service at
>>http://www.anonymous.to/ To report abuse, please visit our website
>>and click 'Contact Us.'
>
>
>
>
>_________________________________________________________________
>MSN Photos est le moyen le plus simple de partager et imprimer vos
>photos :  http://photos.msn.fr/Support/WorldWide.aspx
>
>

Next message: Frog Frog: "Re: Big Security Holes in Portix-PHP Portal"
Previous message: ladd harris: "Re: buffer overflow on whois (redhat linux 7.0/7.1 on i686)"
In reply to: Frog Frog: "Re: CSS, CSS & let me give you some more CSS"
Next in thread: Joe Harrison: "RE: CSS, CSS & let me give you some more CSS"
Next in thread: Slow2Show: "Re: CSS, CSS & let me give you some more CSS"
Reply: Joe Harrison: "RE: CSS, CSS & let me give you some more CSS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 10:19:47 PST