Hi John,

I guess what you're asking is if your company has a vulnerable
static web site, should you really care? With regard to that
web site's data, you're probably safe, unless you're sharing
cookies/tokens across multiple domains (e.g. MS passport). I
know I'm belaboring the point which has been made in other
mailing list posts, but you can do a lot more with XSS beside
cookie stealing/account hijacking.

XSS attacks can be used to assist in various types of browser
exploitation (buffer/heap overflow, browser hijacking, etc.)
which can lead to revealing sensitive information/files on the
desktop or network file system, denial of service scripting
against the user or others, or potentially any code the
attacker can get the browser to launch with the privileges of
that user.

How does this affect your web site data directly? It may not.
But vulnerable users (and your clients) are much more likely
to click on malicious web or email links with domains they
know and trust (e.g. yahoo.com, cnn.com, yourcompany.com,
etc.).

-dave

> -----Original Message-----
> From: John Madden [mailto:chiwawa999yahoo.com]
> Sent: Tuesday, December 10, 2002 11:36 AM
> To: webappsecsecurityfocus.com
> Subject: Re: XSS
>
>
> Hi All,
>
> Thanks to everyone for their responses.
>
> Maybe i did not express myself well enough. What I
> wanted to know is if a site is vulnerable to XSS but
> doesn't allow any write operation, any postings for
> other users to actualy use the malicious URL, can it
> be used for something else ? The reason i'm asking is
> that the company I work for is vulnerable but doesn't
> allow any kind of user input (basicly it's just
> information site) We have to weight the treath vs
> cost, if nothing can be done with the XSS (no to say
> that they will never allow any user input...) then it
> will have a lower priority in the recommendations and
> if to fix all the web pages cost mucho $$$$ then we
> have to consider that as well.
>
> Any ideas ?
>
> --- Kevin Spett <kspettspidynamics.com> wrote:
> > We've got an XSS paper that describes a real attack
> > in technical detail.
> > The scenario it uses is a bank login page that uses
> > client-supplied data for
> > a login-failed error message.
> >
> > http://www.spidynamics.com/mktg/xss
> >
> >
> > I hope it helps.
> >
> >
> >
> > Kevin Spett
> > SPI Labs
> > http://www.spidynamics.com/
> >
> > ----- Original Message -----
> > From: "John Madden" <chiwawa999yahoo.com>
> > To: <webappsecsecurityfocus.com>
> > Sent: Tuesday, December 10, 2002 9:38 AM
> > Subject: XSS
> >
> >
> > > Hello all,
> > >
> > > Being new to XSS and seing alot of messages in the
> > > last couple weeks on the subject got me
> > wondering...
> > >
> > > What is the real vulnerability if the site in
> > > questions is vulnerable to XSS but does not let
> > you
> > > write any malicious scripts on the system, like
> > > message board, forums etc... ? Can anything be
> > done to
> > > exploit XSS if the above scenario occurs ? I know
> > it
> > > depends on the web server, packages installed
> > etc...
> > > I'm asking in generaly is it possible ?
> > >
> > > You can do the document.cookie and view your
> > > cookie, that migth give a hint on the structure
> > but...
> > > or redirect yourself to another web site :) etc...
> > >
> > > I've read the document on XSS by David Endler
> > > http://www.idefense.com/papers.html but still have
> > > some questions.
> > >
> > > If possible, can the XSS guru's on the list shed
> > some
> > > light on the subject.
> > >
> > > Thanks for your time,
> > >
> > > Cheers
> > >
> > >
> > > __________________________________________________
> > > Do you Yahoo!?
> > > Yahoo! Mail Plus - Powerful. Affordable. Sign up
> > now.
> > > http://mailplus.yahoo.com
> > >
> >
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]