OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jeff Williams _at_ Aspect (_at_)
Date: Wed Dec 11 2002 - 09:57:47 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Matt is exactly right here. Even web sites with no storage can be
    susceptible to really serious XSS attacks. These attacks are simply
    reflected off a vulnerable server. We've been calling these 'external
    XSS' attacks -- because the attack is never stored on the vulnerable web
    server.

    Can anyone think of any differences between 'persistent' and 'external'
    XSS attacks in terms of the damage they can cause? They are definitely
    different in terms of the difficulty of launching the attack (external XSS
    may even be easier!) -- but the consequences are the same right? If
    that's true then 'external XSS' would represent a more serious risk than
    the persistent variety.

    --Jeff

    Jeff Williams
    jeff.williamsaspectsecurity.com
    Aspect Security, Inc.
    www.aspectsecurity.com

    ----- Original Message -----
    From: Matthew Miller
    To: John Madden
    Cc: webappsecsecurityfocus.com
    Sent: Wednesday, December 11, 2002 8:03 AM
    Subject: Re: XSS

    John-

    Two things....

    First, there are really two types of XSS. Persistent, where the
    injected code is stored within the web application, such as in
    distribution lists, databases, etc..., Transaction based, requiring a
    user to perform an action in order to be affected, such as click on a
    link, view a page with malicious script in it, etc... Therefore, any
    site that is accepting any form of user input is potentially
    vulnerable...though the risk of persistent XSS exceeds the risk of
    transaction based XSS in most cases.

    Second, XSS is not only used to grab a users session ID. An attacker
    could inject code into the page to redirect the user or modify
    presentation of content. Imagine an corporate site where you could
    add/modify a press release or news items, could you impact the
    companies stock price or lessen consumer confidence? Imagine a
    pharmaceutical site where you could modify dosage for medication, could
    you get someone to overdose?

    mm 

    --
Matthew P. Miller
www.atstake.com

    On Tuesday, December 10, 2002, at 11:35 AM, John Madden wrote:

    > Hi All,
>
> Thanks to everyone for their responses.
>
> Maybe i did not express myself well enough. What I
> wanted to know is if a site is vulnerable to XSS but
> doesn't allow any write operation, any postings for
> other users to actualy use the malicious URL, can it
> be used for something else ? The reason i'm asking is
> that the company I work for is vulnerable but doesn't
> allow any kind of user input (basicly it's just
> information site) We have to weight the treath vs
> cost, if nothing can be done with the XSS (no to say
> that they will never allow any user input...) then it
> will have a lower priority in the recommendations and
> if to fix all the web pages cost mucho $$$$ then we
> have to consider that as well.
>
> Any ideas ?
>
> --- Kevin Spett <kspettspidynamics.com> wrote:
>> We've got an XSS paper that describes a real attack
>> in technical detail.
>> The scenario it uses is a bank login page that uses
>> client-supplied data for
>> a login-failed error message.
>>
>> http://www.spidynamics.com/mktg/xss
>>
>>
>> I hope it helps.
>>
>>
>>
>> Kevin Spett
>> SPI Labs
>> http://www.spidynamics.com/
>>
>> ----- Original Message -----
>> From: "John Madden" <chiwawa999yahoo.com>
>> To: <webappsecsecurityfocus.com>
>> Sent: Tuesday, December 10, 2002 9:38 AM
>> Subject: XSS
>>
>>
>>> Hello all,
>>>
>>> Being new to XSS and seing alot of messages in the
>>> last couple weeks on the subject got me
>> wondering...
>>>
>>> What is the real vulnerability if the site in
>>> questions is vulnerable to XSS but does not let
>> you
>>> write any malicious scripts on the system, like
>>> message board, forums etc... ? Can anything be
>> done to
>>> exploit XSS if the above scenario occurs ? I know
>> it
>>> depends on the web server, packages installed
>> etc...
>>> I'm asking in generaly is it possible ?
>>>
>>> You can do the document.cookie and view your
>>> cookie, that migth give a hint on the structure
>> but...
>>> or redirect yourself to another web site :) etc...
>>>
>>> I've read the document on XSS by David Endler
>>> http://www.idefense.com/papers.html but still have
>>> some questions.
>>>
>>> If possible, can the XSS guru's on the list shed
>> some
>>> light on the subject.
>>>
>>> Thanks for your time,
>>>
>>> Cheers
>>>
>>>
>>> __________________________________________________
>>> Do you Yahoo!?
>>> Yahoo! Mail Plus - Powerful. Affordable. Sign up
>> now.
>>> http://mailplus.yahoo.com
>>>
>>
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>