lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: se_cur_ity at hotmail.com (morning_wood) Subject: Cross-Site Scripting - an industry-wide problem quite commom, funny because xss can be used in PHISHING attacks. instead of <alert blah> try some html redirects to a hosted site with a fake login spoofing the original content ( a login page ) and capture username/password then pass them to the real login page. or better yet... xss dos attacks, like. [script] alert("oh no") ;window.close() [/script] but i guess xss is just kiddi play... or is it? m.w > Cross-Site Scripting - an industry-wide problem > =============================================== > > In early december i started a series of tests to find Cross-Site Scripting > (XSS) vulnerabilities. It quickly turned out that the majority of all major > websites suffer some kind of XSS. This is a disclosure of 175 > vulnerabilities at once. Enjoy the ride... > > Test scenario > ============= > > A site was considered affected if it is possible to inject a javascript into > the output page by making a browser GET or POST request to the webserver. As > a proof-of-concept the script "alert(document.cookie)" got used. > > All tests were made on a fully patched WinXP SP2 machine and Internet > Explorer 6. Most of the proof-of-concept links in this report will not work > using another browser, mainly because in many cases i used javascript in > styles which isn't supported by browsers like Firefox and because Firefox > automaticly applies character encoding to a URL. I was just too lazy to test > each issue cross-browser, so this doesn't mean automaticly that Internet > Explorer is more vulnerable to XSS. > > Impact > ====== > > In many cases XSS is reduced to the attack of stealing session cookies, but > XSS can be used to do a lot more things. Using DOM manipulation you can > change the target of a login form or fake one, change download links or > simply insert your own content into a website. As part of mass-mailings this > can be used for login data phishing, spreading of malware or distribution of > false news that seem to come from a trustworthy source (which is an > intresting option for daytraders on penny stocks for example). > > Don't forget that the injected script is running in the security context of > the affected site. If you know who you are attacking and that the victim has > the affected site in a special trusted zone it can be possible to execute > "not safe for scripting" ActiveX controls - giving you more or less total > control. In intranets and for extranet web applications this is a not so > uncommon configuration. > > For sure XSS is nothing compared to a remote buffer overflow. But only > because this "worst case scenario" is happening quite often these days, it > does not mean XSS is not a security issue. XSS flaws are easy to find and > spammers are always searching for new stuff. > > Finally for some sites on the list dedicated to security a XSS flaw is just > an embarrassing thing ;) > > Affected sites > ============== > > This list is reduced to the second-level domain for readability and posting > size. This isn't always fair since sometimes a sub-domain is indepentend > from the SLD. Please download the complete list of proof-of-concept links > from http://www.mikx.de/xss.php. > > All webmasters were informed by an email and/or their website feedback forms > during december, to give them a fair chance to react. Some of them replied > really quick and patched the issue in a few hours, others (sadly a lot) > never replied. If you are responsible for one of the affected sites and you > have not been informed or are not able to reproduce the issue, please don't > hesitate to contact me. > > The sites in the tests were picked at random from international and german > major websites and/or sites related to security/computers. I just tested > what came to my head - so there is no "hidden message": > > about.com, activestate.com, adobe.com, altavista.com, amazon.com, amd.com, > annoyances.org, aol.com, apache.org, apple.com , archive.org, arcor.de, > ask.com, ati.com, bahn.de, bitdefender.de, blizzard.com, blogdex.net, > blogger.com, bloogz.com, ca.com, ccc.de, cdu.de, chip.de, ciao.de, cert.org, > chillingeffects.org, cnn.com, comdirect.de, consors.de, csialliance.org, > csu.de, dell.com, daypop.com, divx.com, dooyoo.de, doubleclick.com, > download.com, easycredit.de, ebay.com, etrade.com, evite.com, excite.com, > fedex.com, fimatex.de, flexwiki.com, fool.com, free-av.de, freshmeat.net, > fsf.org, fujitsu.com, gamestar.de, gm.com, gmx.net, gnu.org, go.com, > golem.de, google.com, groupee.com, gruene-partei.de, guenstiger.de, > heise.de, hosting.com, hp.com, ibm.com, icq.com, idealo.de, imagemagick.org, > infineon.com, informationsecurityireland.com, infospace.com, intel.com, > itaa.org, izb.de, jamba.de , juno.com, kde.org, kelkoo.de, kerio.com, > liberale.de, linspire.com, looksmart.com, lufthansa.com, lycos.com, > macromedia.com, mandrakesoft.com, mayflower.de, mcafee.com, meetup.com, > messagelabs.com, metacrawler.com, metadot.com, microsoft.com, mlb.com, > mnogosearch.org, modblog.com, modssl.org, mozilla.org, mozillazine.org, > msdn.com, msn.com, msnbc.com, nasa.gov, nationalgeographic.com, nba.com, > netiq.com, nfl.com, netflix.com, netscape.com, nokia.com, novell.com, > nytimes.com, onlinekosten.de, opencores.org, openssl.org, opera.com, > oracle.com, paypal.com, pc-magazin.de, pcpowerplay.de, pcwelt.de, > phpcenter.de, pmwiki.org, privacy.org, pro7.de, ptb.de, postgresql.org, > quoka.de, reactos.com, real.com, redhat.com, redvsblue.com, riaa.com, > rtl.de, ryanair.com, sans.org, sbroker.de, securityfocus.com, > securityspace.com, shutterfly.com, slashdot.org, snocap.com, sony.com, > sourceforge.net, sparkasse.de, spd.de, spreadfirefox.com, squid-cache.org, > sqlite.org, staysafeonline.com, stern.de, strato.de, sun.com, suse.de, > technorati.com, telekombusiness.de, theonion.com, tiscali.com, > tomshardware.com, uci.edu , ups.com , upside.de, us-cert.gov, validome.org, > varbusiness.com, vasoftware.com, viruslist.com, w3.org, web.de, > worldofwarcraft.com, wsj.com, xoom.com, yahoo.com, yopi.de, zonelabs.com > > References > ========== > > It turned out that in some cases third party software used on the websites > are suffering a bug. Here the Common Vulnerabilities and Exposures > (cve.mitre.org) names: > > CAN-2004-1059 mnogosearch (as used at www.redhat.com) > CAN-2004-1061 bugzilla (as used at bugzilla.mozilla.org bug #272620) > CAN-2004-1062 viewcvs (as used at cvs.apache.org) > CAN-2004-1146 cvstrac (as used at cvs.openssl.org) > > http://www.slashcode.com/article.pl?sid=04/12/15/1540200 > http://www.mnogosearch.com/winhistory.html > > Credits > ======= > > I woud like to thank a few people for helping me out through the tests and > working on fixing the issues as quickly as possible: > > Christoph "Locke" Wehrmann (for making me addicted to XSS) > Mark J Cox (Red Hat Security Response Team) > Daniel Bachfeld (heisec) > Jamie McCarthy and Chris Nandor (slashcode) > Alexander Barkov (mnogosearch) > Microsoft Security Response Center > Google Security Team > Bugzilla Team > Everybody who responded to my report mail :) > > Contact > ======= > > Michael Krax <mikx@...x.de> > http://www.mikx.de/ > > > Happy Holidays! > mikx > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists