lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <63BD8211-BD60-11D7-826A-0003939DF990@boarder.org>
From: billp at boarder.org (Bill Pennington)
Subject: Search Engine XSS

It really is so site specific that it is hard to say. The thing to 
remember about XSS is that general attack vectors are client-to-client. 
So user "a" can attack user "b". It is really not a client-to-server 
attack. The most common attack scenario that I have seen is getting 
user b to click on a link and sending the users cookie from a XSS'able 
site to another site. Then the attacker (user a) can use that cookie to 
become user b. There are 2 types of XSS, URL based (aka transient) and 
permanent, where the code is placed in some place that is viewed by a 
number of users (like web mail, auctions, classifieds, chat boards 
,etc...)

Most web app geeks call permanent XSS HTML injection these days.

Now sites that have permanent XSS might also be vulnerable to SSI 
injection. That is when it becomes a client-to-server attack.

If you are interested you might want to check out the following URLS

http://www.owasp.org/asac/input_validation/css.shtml
http://www.cgisecurity.com/articles/xss-faq.shtml

Of course a google search for "Cross Site Scripting" will turn up a 
bunch of good links as well.



On Wednesday, July 23, 2003, at 03:35 PM, Shanphen Dawa wrote:

> So why not show one of these legitimate examples instead of the 
> overused window popup script?
>
> It would just be easier to ascertain the level of severity if an 
> actual DoS string or this "trusted internal call" was exploited.
>
> I am sure there are a lot of forms that can be a victim of a xss 
> string, but how many of them can actually be used for anything useful 
> (from an attacker point of view)?
>
>
> On Wed, 23 Jul 2003 11:34:53 -0700
> "morning_wood" <se_cur_ity@...mail.com> wrote:
>
>> both..
>>
>>> Can you use this to DoS the server?
>>  consider that the server must process the requests.. i think it can 
>> be a
>> DoS issue with enough length and quanity of the requests.
>>
>>> Can you use this to gain access to areas on the server otherwise not
>> available?
>>
>> many servers assume a call to "/somefolder/somefile.ext" is a trusted
>> internal call.
>> where http://theserver/somefolder/somefile.ext
>>
>> morning_wood
>> http://exploitlabs.com
>>
>>
>>
>>
>
>
> -- 
> /*
> "To avoid all evil, to cultivate good,
> and to cleanse one's mind
> this is the teaching of the Buddhas."
>
> Martin Ekendahl
> http://www.hardlined.com
> martin@...dlined.com
> */
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ