From: jeremiah at whitehatsec.com (Jeremiah Grossman)
Subject: Re: New Web Vulnerability - Cross-Site Tracing

On Wed, 2003-01-22 at 13:31, xss-is-lame@...hmail.com wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> I would like to point out that in order to execute an "XST" attack, you have to be able 
to able to get JavaScript/Flash/etc executed on the victim's system as a PREREQUISITE.

certainly.


> 
> So, to summarize:
> 
> If you can get arbitrary JavaScript executed on a web client, you can use this attack method to 
get arbitrary JavaScript executed on a web client, in a different zone.


this is correct. Via a web page, message board, web mail, etc etc etc.

> 
> Is this a useful thing to know if you're looking for a way to steal cookies? Sure!  
Is this a revolutionary tactic that will allow you to compromise the security of any of 
the webservers listed in the whitepaper? No.


Ok... we are not talk about "rooting" the web server here, but
compromising the user credentials client-side. The credentials be it
cookies or basic authentication, from a protected domain. You can now
XSS any domain from the users browser even if the domain has no web apps
at all.




> This isn't any different from the many, many, many known ways of violating 
someone's HTTP client if you can get them to execute Flash or JavaScript or ActiveX of your choice.


I must disagree... this is a much much different way to perform a
credential theft. But...for the sake of information, can you provide me
a link where they do it in this manner?
  
We've seen dozens of holes in IE's security constraints that allow attackers to view files, 
steal cookies or execute commands.  Unlike Guninski or GreyMagic's advisories, this one has 
simply been built up to ridiculous proportions with marketting language in the press release 
and in the ExtremeTech article.

Again, not using this method.

Powered by blists - more mailing lists