lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200307230406.h6N46Oqj004200@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: logically stopping xss 

On Tue, 22 Jul 2003 23:10:12 EDT, Justin Shin said:

> see theres a gazillion xss "exploits" just sitting out there that no-one
> knows of, and no admin can keep up with all the new "exploits" for xss. I am
> just looking for suggestions, that's all. I swear, when I said was stupid, I
> didn't mean I was THAT stupid :)

Oh.. *suggestions*.. That's different. ;)

If you're looking for XSS, start by finding a form that the user fills in
themselves. Then see if that data can be found on some OTHER page.  The only
two parts missing then are (a) improper filtering before redisplay and (b)
getting a victim to visit the other page. ;)

Unlike virus/malware detectors that can look for things like nop sleds, there's
no really general way to filter for XSS, since the whole trick is to pass
*legal* structures to the victim and have them interpreted in incorrect
contexts.  Quite often, the attack is a "recombinant DNA" type, where you're
providing fragments in several pieces all of which *looked* legal separately
(like one MUA that had an issue displaying a *series* of messages, each of
which had a small chunk of javascript in the Subject: line... Ouch ;)

You might want to get hold of a copy of Hofstaeder's "Godel Escher Bach" - once
you read and understand the chapter on quining,  knowing what signs of an XSS
problem to look for will be a lot easier.  The rest of the book is a worthwhile
read too - you'll learn a lot about exactly why scanners like SNORT can't be
100% right, and a lot less painfully than the Theory of Computation classwork
version. ;)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030723/2f46d10e/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ