OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Sverre H. Huseby (shhthathost.com)
Date: Tue Oct 23 2001 - 14:06:00 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    [Mark Curphey]

    | I get how to execute JavaScript automatically but you always need
    | to start this attack by tricking a user into clicking the original
    | link right (or by email as Richard points out)? which really makes
    | it a social engineering trick to get it all going.

    I'm not quite sure what you mean with "clicking the original link".
    If I manage to put a script in a discussion forum, people won't have
    to click _my_ link. They only have to read the page on which the
    script is.

    Also, if I send a mail with "Content-Type: text/html" and put a script
    in that mail, users of eg. Outlook won't have to click anywhere in the
    mail to be hosed. They just need to read it. Or preview it. Unless
    they have an Outlook that does not run scripts, of course.

    | Now would I be right in saying that if your application is not
    | HTML aware then stripping the < (and URL and Unicode Equivs) will
    | protect you 100% from this problem ?

    AFAIK, yes. But that won't protect you against off site scripts
    targeted at your site, such as scripts in mail or on other web pages.
    That is what the Zope guys termed "Client Side Trojans" back in May
    2000:

      http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan

    Sverre. 

    -- 
shhthathost.com			Play my free Nerd Quiz at
http://shh.thathost.com/		http://nerdquiz.thathost.com/