Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Sverre H. Huseby (shhthathost.com)
Date: Tue Jan 29 2002 - 02:07:40 CST
Thanks for your thorough text!
| (I know many of the write-ups also mention & as a potential attack
| vector, but I've not seen a successful CSS ever made using it.)
I have. Yesterday. AFAIK, it works on Netscape Navigator only. I
attribute of the input tag. If a form redisplays its input without
"washing" ampersand (or curly braces or semicolon, all are needed for
Netscape to parse this as a script), CSS is a piece of cake when the
victim uses Netscape.
Note that it seems that only Netscape Navigator implements this
Opera and Mozilla.
| 3) Data is possibly partially filtered, but the value is used inside of a
| tag's values & parameters.
| This covers the cases where the data is being used as a
| "value" section of an <input> tag or inside the "onLoad" of a
| <body> tag, or other similar cases. Even if <> is filtered out,
| it is possible to inject more script by closing the current value
| (either ' or " depending on what the site uses) and adding your
| own code there.
Eg. by adding a style tag that may trick Internet Explorer into
running a script:
| Scripts that can do anything that scripts can do. The most common
| list of attacks are: [...]
I would add: Abusing bugs in the browser. I don't know if it correcly
may be described as Cross Site _Scripting_, but if you successfully
inject an applet tag, and load eg. Brown Orifice, the attacker may
control the victim's unpatched version of Netscape Navigator. Similar
bugs (ie. abusable via HTML contents) exist in most browsers.
| >How do you know if a test was successful?
| If I am able to inject any of my own code that executes in the
| script, it has worked. Obviously the easiest for simple testing
| is to pop an "alert" window with a message in it.
It should be noted that if you are _not_ able to insert code that
executes, it does not necessarily mean that the site is not
vulnerable. It just means that _you_ are not able to do it. Or maybe
it means that they successfully prevent script in the page you test,
but you can hardly know when your input will show up in another page,
or in an HTML formatted mail generated by the site.
You can prove that they are vulnerable to CSS, but you cannot prove
that they are not. (I guess you knew that Larry, but I _know_ other
people don't, so I wanted to mention it.)
-- shhthathost.com Play my free Nerd Quiz at http://shh.thathost.com/ http://nerdquiz.thathost.com/