[Joe Harrison]
| I can't help feel the importance of these cross-site-scripting attacks is
| over-emphasised.
|
| 1. You can grab a session cookie which can give you a hijacked login.
| Obviously not good but also not that easy to implement as it needs quite
| precise timing.
Not necessarily. Here are a couple of examples where the timing is
not important:
* The site in question lets a user store things in a database, that
will later be sent to other, logged in users (eg. a discussion
forum). If output is not correctly "washed", the user will
receive the script after logging in, so the attacker need not know
when the user is logged in.
* Social engineering 1: An URL with "Check this cool [something] at
[target site]" in a mail may do. If the URL contains a script,
and the target site 1) requires login and 2) routes the victim to
the original URL after a successful login, the script will be run
after logging in. No timing needed.
* Social engineering 2: A mail with forged sender stating that "we
suspect that we have a [security/database/whatever] problem.
Please log in at our site, and go to the following URL to verify
that everything is OK." The URL does, of course, contain a
malicious script. No timing needed.
| Also the rightful session owner (even if unsophisticated user) is
| immediately going to notice something funny is happening when his
| or her genuine session blows away.
Not if the script is carefully crafted. The script may redirect the
user to the attacker's site, bringing the cookie with it. The
attacker's server picks the cookie from the request and stores it in a
database or something. The only output from the attacker's site is a
new browser redirect that brings the user back to the original site.
I have tried it: No browser flickery or anything that will be noticed
by most users.
Sverre.
--
shhat_private Play my free Nerd Quiz at
http://shh.thathost.com/ http://nerdquiz.thathost.com/
This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 15:03:53 PST