BugTraq
Re: <BASE> tag used for hijacking external resources (XSS) Dec 16 2011 09:44PM
Bouke van Laethem (vanlaethem gmail com) (1 replies)
Re: <BASE> tag used for hijacking external resources (XSS) Dec 16 2011 10:27PM
Mario Vilas (mvilas gmail com) (1 replies)
Re: <BASE> tag used for hijacking external resources (XSS) Dec 17 2011 12:10AM
Bouke van Laethem (vanlaethem gmail com) (1 replies)
Re: <BASE> tag used for hijacking external resources (XSS) Dec 17 2011 10:02AM
Mario Vilas (mvilas gmail com)
You make good points in the rest of the email. This one, however,
doesn't convince me...

On Sat, Dec 17, 2011 at 1:10 AM, Bouke van Laethem <vanlaethem (at) gmail (dot) com [email concealed]> wrote:
> Wouldn't you agree that by this definition no XSS is ever a
> vulnerability: you are just using the ability to inject HTML in order
> to inject some unaccounted for HTML, right?

Well, not quite. The idea of an XSS is that you can gain the privilege
to inject HTML code when you didn't have any.

HTML is not the same as textual content, for example - a blog that
lets you add comments to a blog post is not giving you the ability to
inject HTML tags, so if you manage to do that you've gained a
privilege you're not supposed to have.

Same goes for any other XSS - you always being by assuming you can't
inject HTML tags, and it's a vulnerability when you can. If you being
by assuming you can already insert HTML tags then there could be
millions of things to do from there, since your injected code can do
the same things the legitimate code can do, and there's no way to tell
them apart. Every single browser feature would be considered a
vulnerability.

That's why I'd categorize this as an exploitation aid rather than a
vulnerability. Then again you can always think I'm being too picky ;)

--
?There's a reason we separate military and the police: one fights the
enemy of the state, the other serves and protects the people. When the
military becomes both, then the enemies of the state tend to become
the people.?

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus