OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Sverre H. Huseby (shhthathost.com)
Date: Tue Jan 29 2002 - 02:07:40 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Thanks for your thorough text!

    [Shields, Larry]

    | (I know many of the write-ups also mention & as a potential attack
    | vector, but I've not seen a successful CSS ever made using it.)

    I have. Yesterday. AFAIK, it works on Netscape Navigator only. I
    stumbeled across the "JavaScript Entity" while skimming the Netscape
    JavaScript Guide a year ago:

      http://developer.netscape.com/docs/manuals/js/client/jsguide/embed.htm#1013293

    JavaScript entities only work in HTML tag attributes. Like the value
    attribute of the input tag. If a form redisplays its input without
    "washing" ampersand (or curly braces or semicolon, all are needed for
    Netscape to parse this as a script), CSS is a piece of cake when the
    victim uses Netscape.

    Note that it seems that only Netscape Navigator implements this
    strange JavaScript entity. I have been unable to make it work in IE,
    Opera and Mozilla.

    | 3) Data is possibly partially filtered, but the value is used inside of a
    | tag's values & parameters.
    | This covers the cases where the data is being used as a
    | "value" section of an <input> tag or inside the "onLoad" of a
    | <body> tag, or other similar cases. Even if <> is filtered out,
    | it is possible to inject more script by closing the current value
    | (either ' or " depending on what the site uses) and adding your
    | own code there.

    Eg. by adding a style tag that may trick Internet Explorer into
    running a script:

      style="left:expression(eval('alert(\'script\')'))"

    | Scripts that can do anything that scripts can do. The most common
    | list of attacks are: [...]

    I would add: Abusing bugs in the browser. I don't know if it correcly
    may be described as Cross Site _Scripting_, but if you successfully
    inject an applet tag, and load eg. Brown Orifice, the attacker may
    control the victim's unpatched version of Netscape Navigator. Similar
    bugs (ie. abusable via HTML contents) exist in most browsers.

    | >How do you know if a test was successful?
    |
    | If I am able to inject any of my own code that executes in the
    | script, it has worked. Obviously the easiest for simple testing
    | is to pop an "alert" window with a message in it.

    It should be noted that if you are _not_ able to insert code that
    executes, it does not necessarily mean that the site is not
    vulnerable. It just means that _you_ are not able to do it. Or maybe
    it means that they successfully prevent script in the page you test,
    but you can hardly know when your input will show up in another page,
    or in an HTML formatted mail generated by the site.

    You can prove that they are vulnerable to CSS, but you cannot prove
    that they are not. (I guess you knew that Larry, but I _know_ other
    people don't, so I wanted to mention it.)

    Sverre. 

    -- 
shhthathost.com			Play my free Nerd Quiz at
http://shh.thathost.com/		http://nerdquiz.thathost.com/