lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: jeremiah at whitehatsec.com (Jeremiah Grossman) Subject: Re: New Web Vulnerability - Cross-Site Tracing On Wed, 2003-01-22 at 13:31, xss-is-lame@...hmail.com wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > I would like to point out that in order to execute an "XST" attack, you have to be able to able to get JavaScript/Flash/etc executed on the victim's system as a PREREQUISITE. certainly. > > So, to summarize: > > If you can get arbitrary JavaScript executed on a web client, you can use this attack method to get arbitrary JavaScript executed on a web client, in a different zone. this is correct. Via a web page, message board, web mail, etc etc etc. > > Is this a useful thing to know if you're looking for a way to steal cookies? Sure! Is this a revolutionary tactic that will allow you to compromise the security of any of the webservers listed in the whitepaper? No. Ok... we are not talk about "rooting" the web server here, but compromising the user credentials client-side. The credentials be it cookies or basic authentication, from a protected domain. You can now XSS any domain from the users browser even if the domain has no web apps at all. > This isn't any different from the many, many, many known ways of violating someone's HTTP client if you can get them to execute Flash or JavaScript or ActiveX of your choice. I must disagree... this is a much much different way to perform a credential theft. But...for the sake of information, can you provide me a link where they do it in this manner? We've seen dozens of holes in IE's security constraints that allow attackers to view files, steal cookies or execute commands. Unlike Guninski or GreyMagic's advisories, this one has simply been built up to ridiculous proportions with marketting language in the press release and in the ExtremeTech article. Again, not using this method.
Powered by blists - more mailing lists