Guest Scott Ocamb Posted December 10, 2008 Posted December 10, 2008 I would like some help in understanding XSS security vunerabilities. i can see where a "hacker" could cause implementation vunerable to XSS attacks inject java script to the page and cause weird stuff to happen on his machine. I can also see how a hacker could notice some vurerable code, and mock up a page that looks legitimate, and send it to someone and cause them to pass on private information to the hacker. What i cannot understand is how a hacker could gather information from another users session . and get private information. Is this possible and if so how. i have a customers site that has vunerable pages but we need to prioritze what we fix and want to focus of pages where private information is in play. or i could have missed something else.. any help would be appreciated. Quote
Guest FromTheRafters Posted December 10, 2008 Posted December 10, 2008 http://www.cis.upenn.edu/~cis551/XSS.pdf "Scott Ocamb" <socamb@hotmail.com> wrote in message news:%23GozV0tWJHA.5108@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> >I would like some help in understanding XSS security vunerabilities. > > i can see where a "hacker" could cause implementation vunerable to XSS > attacks inject java script to the page and cause weird stuff to happen on > his machine. > > I can also see how a hacker could notice some vurerable code, and mock up > a page that looks legitimate, and send it to someone and cause them to > pass on private information to the hacker. > > What i cannot understand is how a hacker could gather information from > another users session . and get private information. Is this possible and > if so how. > > i have a customers site that has vunerable pages but we need to prioritze > what we fix and want to focus of pages where private information is in > play. > > or i could have missed something else.. > > any help would be appreciated. > > > > </span> Quote
Guest John Mason Jr Posted December 11, 2008 Posted December 11, 2008 Scott Ocamb wrote:<span style="color:blue"> > I would like some help in understanding XSS security vunerabilities. > > i can see where a "hacker" could cause implementation vunerable to XSS > attacks inject java script to the page and cause weird stuff to happen > on his machine. > > I can also see how a hacker could notice some vurerable code, and mock > up a page that looks legitimate, and send it to someone and cause them > to pass on private information to the hacker. > > What i cannot understand is how a hacker could gather information from > another users session . and get private information. Is this possible > and if so how. > > i have a customers site that has vunerable pages but we need to > prioritze what we fix and want to focus of pages where private > information is in play. > > or i could have missed something else.. > > any help would be appreciated. > > > > </span> The following might help <http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)> Also might want to pick up a copy of XSS Exploits: Cross Site Scripting Attacks and Defense John Quote
Guest Scott Ocamb Posted December 11, 2008 Posted December 11, 2008 thanks for the document link. Please validate my understanding: GoodGuy visits Vunerable.com and accesses TopSecret.html. this page collects tons of personal and important information. It also has a XSS loop hole that allows GoodGuys personal information to be revrieved via a cookie. GoodGuy is oblivous and continues to use the site. BadGuy visits Vunerable.com and accesses TopSecret.html. Aha he says and crafts a site BadGuy.com to look just like TopSecret.html All badguy needs to do is fool GoodGuy and others to visit BadGuy.com BadGuy can get tons of personal information. BadGuy can send GoodGuy and others emails to fool them to visit badguy.com. (I get This) BadGuy can post blog entries to fool GoodGuy and others to visit babguy.com (i get this too). what i do not see is how badguy can somehow fool goodguy into arriving at badguy.com durring one session of operation and steal private information. BadGuy does not know who GoodGuy is. It seems to me the GoodGuy can only arrive at badguy via an indirect method like email or blog. Is this correct? any help is appreciated. if not, please explain how goodguy can be directed to badguy.com durring normal operation of Vunerable.com. "FromTheRafters" <erratic@nomail.afraid.org> wrote in message news:%23MbMdWvWJHA.256@TK2MSFTNGP06.phx.gbl...<span style="color:blue"> > http://www.cis.upenn.edu/~cis551/XSS.pdf > > "Scott Ocamb" <socamb@hotmail.com> wrote in message > news:%23GozV0tWJHA.5108@TK2MSFTNGP04.phx.gbl...<span style="color:green"> >>I would like some help in understanding XSS security vunerabilities. >> >> i can see where a "hacker" could cause implementation vunerable to XSS >> attacks inject java script to the page and cause weird stuff to happen on >> his machine. >> >> I can also see how a hacker could notice some vurerable code, and mock up >> a page that looks legitimate, and send it to someone and cause them to >> pass on private information to the hacker. >> >> What i cannot understand is how a hacker could gather information from >> another users session . and get private information. Is this possible and >> if so how. >> >> i have a customers site that has vunerable pages but we need to prioritze >> what we fix and want to focus of pages where private information is in >> play. >> >> or i could have missed something else.. >> >> any help would be appreciated. >> >> >> >></span> > > </span> Quote
Guest FromTheRafters Posted December 12, 2008 Posted December 12, 2008 inline "Scott Ocamb" <socamb@hotmail.com> wrote in message news:uMJ4687WJHA.3808@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > thanks for the document link.</span> You're welcome. <span style="color:blue"> > Please validate my understanding:</span> If I can. <span style="color:blue"> > GoodGuy visits Vunerable.com and accesses TopSecret.html.</span> With you so far. <span style="color:blue"> > this page collects tons of personal and important information.</span> This is normal operation when you trust a site with such information. You also trust that site to place cookies on your machine in a way that (mostly) only that site is supposed to be able to access them. <span style="color:blue"> > It also has a XSS loop hole that allows GoodGuys personal information > to be revrieved via a cookie.</span> The key thing with an XSS vulnerability is that the bad guy is able to put an untrusted script in a place where you will take it as a trusted script. Running from a site that is supposed to have access to said cookies is kind of a bonus for bad guy. <span style="color:blue"> > GoodGuy is oblivous and continues to use the site.</span> Yes, and the site itself continues to function as normal. <span style="color:blue"> > BadGuy visits Vunerable.com and accesses TopSecret.html.</span> Perhaps not, bad guy only needs to place his script on the vulnerable server. What that script does is ancillary to the XSS vulnerability. <span style="color:blue"> > Aha he says and crafts a site BadGuy.com to look just like TopSecret.html</span> He could do that, and have his script send you to that site. <span style="color:blue"> > All badguy needs to do is fool GoodGuy and others to visit BadGuy.com > BadGuy can get tons of personal information.</span> Not fool them, just send them - the script could send visitors elsewhere. <span style="color:blue"> > BadGuy can send GoodGuy and others emails to fool them to visit > badguy.com. (I get This)</span> Not fool them...fooling someone to visit a site is beyond (or beneath) the scope of XSS vulnerabilities. Social Engineering is another kind of exploit in itself. XSS isn't needed if you could just trick the user into divulging the info. But there are (or should be) restrictions on what could be scripted in an e-mail (some still feel e-mail shouldn't even be HTML let alone support scripting). Scripting in e-mail should fall under untrusted but as the XSS vector allows ingress of untrusted scripting into a trusted scenario it is more powerful. In the past (with IE/OE) I could use a "refresh" to make the receiving client (OE) visit the website of my choice without the user having to take any action (aside from having the preview pane enabled). This has been fixed (hopefully) in recent versions, but such a thing can still be done through XSS because your web client "trusts" the content on the website. <span style="color:blue"> > BadGuy can post blog entries to fool GoodGuy and others to visit > babguy.com (i get this too).</span> XSS is not needed if you just want to fool users into doing something unwise. In fact, it takes great effort to stop them from doing unwise things - like circumventing LUA at the drop of a hat (another subject). <span style="color:blue"> > what i do not see is how badguy can somehow fool goodguy into arriving at > badguy.com durring one session of operation and steal private information. > BadGuy does not know who GoodGuy is.</span> None of this really has anything to do with XSS - there are examples in the URL of what could be done with XSS - but the key feature is the running of the script. If the script sends you to a bogus look-alike site to the one you believe you are entering your information into - or it uses the fact that your onboard cookies for that legitimate site are available to be sent to bad guy - it is still the script ingress method that is XSS.<span style="color:blue"> > > It seems to me the GoodGuy can only arrive at badguy via an indirect > method like email or blog. > Is this correct?</span> Bad guy uses vulnerable.com's XSS vulnerability to place a bad script to be executed on the client machine when someone visits vulnerable.com. Bad guy's untrusted script -->vulnerable.com-->trusted script for Good guy's machine. Cross Site Scripting <span style="color:blue"> > any help is appreciated.</span> <span style="color:blue"> > if not, please explain how goodguy can be directed to badguy.com durring > normal operation of Vunerable.com.</span> A reference to badguy.com could be scripted. Badguy.com is not needed for XSS. <span style="color:blue"> > "FromTheRafters" <erratic@nomail.afraid.org> wrote in message > news:%23MbMdWvWJHA.256@TK2MSFTNGP06.phx.gbl...<span style="color:green"> >> http://www.cis.upenn.edu/~cis551/XSS.pdf >> >> "Scott Ocamb" <socamb@hotmail.com> wrote in message >> news:%23GozV0tWJHA.5108@TK2MSFTNGP04.phx.gbl...<span style="color:darkred"> >>>I would like some help in understanding XSS security vunerabilities. >>> >>> i can see where a "hacker" could cause implementation vunerable to XSS >>> attacks inject java script to the page and cause weird stuff to happen >>> on his machine. >>> >>> I can also see how a hacker could notice some vurerable code, and mock >>> up a page that looks legitimate, and send it to someone and cause them >>> to pass on private information to the hacker. >>> >>> What i cannot understand is how a hacker could gather information from >>> another users session . and get private information. Is this possible >>> and if so how. >>> >>> i have a customers site that has vunerable pages but we need to >>> prioritze what we fix and want to focus of pages where private >>> information is in play. >>> >>> or i could have missed something else.. >>> >>> any help would be appreciated. >>> >>> >>> >>></span> >> >></span> > </span> Quote
Guest John Mason Jr Posted December 14, 2008 Posted December 14, 2008 Scott Ocamb wrote:<span style="color:blue"> > thanks for the document link. > > Please validate my understanding: > > GoodGuy visits Vunerable.com and accesses TopSecret.html. > this page collects tons of personal and important information. It also > has a XSS loop hole that allows GoodGuys personal information > to be revrieved via a cookie. > </span> Look at it in a different way if the badguy can cause the 3rd parties browser to execute his code, he can control the entire experience for the 3rd party. He might cause another website to be opened He might download an exe to the machine and execute it Or maybe he opens a dialog box requesting that you log into web site to steal your credentials Or to make it easier code that redirects you to the bad website, and it is just full of exploits so your computer can be added to his bot net. John Quote
Guest FromTheRafters Posted December 14, 2008 Posted December 14, 2008 "John Mason Jr" <notvalid@cox.net.invalid> wrote in message news:gi1il6$5eb$1@news.motzarella.org...<span style="color:blue"> > Scott Ocamb wrote:<span style="color:green"> >> thanks for the document link. >> >> Please validate my understanding: >> >> GoodGuy visits Vunerable.com and accesses TopSecret.html. >> this page collects tons of personal and important information. It also >> has a XSS loop hole that allows GoodGuys personal information >> to be revrieved via a cookie. >></span> > > > Look at it in a different way if the badguy can cause the 3rd parties > browser to execute his code, he can control the entire experience for the > 3rd party.</span> Right, the only social engineering aspect is when the attacker needs to trick the user into launching a reflection XSS attack. The key thing is the script gets executed under the guise of a trusted site - usually given access to pretty yummy cookies. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.