Thanks for the replies. I get how to execute JavaScript automatically
but you always need to start this attack by tricking a user into clicking
the original link right (or by email as Richard points out)? which really
makes it a social engineering trick to get it all going.

Once they have clicked it its game over....

Now would I be right in saying that if your application is not HTML aware
then stripping the < (and URL and Unicode Equivs) will protect you 100%
from this problem ?

---- Jeremiah Grossman <jeremiahwhitehatsec.com> wrote:
> Alrighty then! ;)
>
>
> Ok, lets you have a constant state HTML aware application.
> Constant state means that the user-input destined for a page or
> a group of pages stays persistent through at least a few GET requests.
>
> For instance, WebMail, MessageBoards, HTML Chat, Guest Book,
> User Profile... that sort of thing. HTML aware mean that the web
> application allow HTML knowing or unknowingly. The above
> example cover these types of web apps also.
>
> So, now that we have the landscape... and its rather large... everyone
> uses these types of systems and beyond.
>
> But first let me stress that I in no way endorse or take responsibility
> for anyone reading this material and using what I describe further
> for malicious, abusive or illegal acts. This information is purely
> for educational and protective means. * Jer Disclaimer *
>
>
> So now we gotta get a javascript to auto exec within a users web
> environment. Many Many Many ways... lets cover the few
> basics because each system may only allow certain types to enter.
>
>
> <SCRIPT>javascript_expression</SCRIPT>
> The simplest method... if a web app allows the SCRIPT tag, the rest
> is a walk.
>
>
> <IMG SRC="javascript:javascript_expression">
> Work with most tags that have a SRC element. The browser auto exec
> an internal JS debugger I think...and run the expression.
>
> <IMG SRC="&{javascript_expression};">
> Very wierd Netscape Only thing... works under 4.x and maybe more.
> Specific syntax is required here.
>
> and lets have one more....
>
>
> <style TYPE="text/javascript">
> JS EXPRESSION
> </style>
> Converting a STYLE sheet into JavaScript. Very interesting behavior
> if you ask me, but it works.
>
>
> Now what do you do with this stuff? Well you CAN do many
> things as Rudi has suggested.... you have literally more control
> over the browser now days than the user themselves.
>
> So the next time you open your webmail or read a message
> board and something bad happens, dont say I didnt warn ya :)
>
> Jeremiah
> WhiteHat Security
>
>
>
>
> rudi carell wrote:
>
> > hi Mark,
> >
> > ---cut here---
> > >Does anyone have a really good explanation of how cross site >scripting
> > >could
> > >work with no user intervention at all...I have seen lots of ways
> to >pass
> > >JavaScript like URL and Unicoded (and OWASP are writing them up)
> but >I
> > >haven't seen a good explanation of how it can be used on a totally
> > > >innocent
> > >user...all the exploits I have *seen* have involved first tricking
> >the
> > >target into clicking a hyperlink...
> > ---cut here---
> >
> > jeremiah should be the right man for this question :-)
> >
> > but ..
> >
> > a minimum of user input is always necessary!
> >
> > at least a document carrying the malicious java-script has to be
> opened by
> > the victim (looking at his webmail-INBOX for example)!
> >
> > then the attacker can do everything the victim is able to do with
> his client
> > (browser) without any further user input.
> >
> > rC
> >
> > securityfreefly.com
> > http://www.freefly.com/security/
>

__________________________________________________
FREE voicemail, email, and fax...all in one place.
Sign Up Now! http://www.onebox.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]