Alrighty then! ;)

Ok, lets you have a constant state HTML aware application.
Constant state means that the user-input destined for a page or
a group of pages stays persistent through at least a few GET requests.

For instance, WebMail, MessageBoards, HTML Chat, Guest Book,
User Profile... that sort of thing. HTML aware mean that the web
application allow HTML knowing or unknowingly. The above
example cover these types of web apps also.

So, now that we have the landscape... and its rather large... everyone
uses these types of systems and beyond.

But first let me stress that I in no way endorse or take responsibility
for anyone reading this material and using what I describe further
for malicious, abusive or illegal acts. This information is purely
for educational and protective means. * Jer Disclaimer *

So now we gotta get a javascript to auto exec within a users web
environment. Many Many Many ways... lets cover the few
basics because each system may only allow certain types to enter.

<SCRIPT>javascript_expression</SCRIPT>
The simplest method... if a web app allows the SCRIPT tag, the rest
is a walk.

<IMG SRC="javascript:javascript_expression">
Work with most tags that have a SRC element. The browser auto exec
an internal JS debugger I think...and run the expression.

<IMG SRC="&{javascript_expression};">
Very wierd Netscape Only thing... works under 4.x and maybe more.
Specific syntax is required here.

and lets have one more....

<style TYPE="text/javascript">
JS EXPRESSION
</style>
Converting a STYLE sheet into JavaScript. Very interesting behavior
if you ask me, but it works.

Now what do you do with this stuff? Well you CAN do many
things as Rudi has suggested.... you have literally more control
over the browser now days than the user themselves.

So the next time you open your webmail or read a message
board and something bad happens, dont say I didnt warn ya :)

Jeremiah
WhiteHat Security

rudi carell wrote:

> hi Mark,
>
> ---cut here---
> >Does anyone have a really good explanation of how cross site >scripting
> >could
> >work with no user intervention at all...I have seen lots of ways to >pass
> >JavaScript like URL and Unicoded (and OWASP are writing them up) but >I
> >haven't seen a good explanation of how it can be used on a totally
> > >innocent
> >user...all the exploits I have *seen* have involved first tricking >the
> >target into clicking a hyperlink...
> ---cut here---
>
> jeremiah should be the right man for this question :-)
>
> but ..
>
> a minimum of user input is always necessary!
>
> at least a document carrying the malicious java-script has to be opened by
> the victim (looking at his webmail-INBOX for example)!
>
> then the attacker can do everything the victim is able to do with his client
> (browser) without any further user input.
>
> rC
>
> securityfreefly.com
> http://www.freefly.com/security/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]