| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030825180935.2527.qmail@web41502.mail.yahoo.com> From: illectro2001 at yahoo.com (Chris Sharp) Subject: Non-Lame XSS Vulnerability - Analog-X Proxy How about this for a halfway useful XSS issue, analog-X proxy includes an HTTP proxy, when a domain fails a DNS lookup it will return an error page with the failed domain name in it. OK great so we can steal cookies from any web page on the internet providing it doesn't resolve. Not a lot of use I hear you say. OK maybe you can take down a nameserver long enough to steal cookies from some site, how.... Unelegant. But, the real trick is when you compare the URL parsing of MSIE and AnalogX - say with a URL like.... http://www.yahoo.com<script>alert(document.cookie)</script> well MSIE thinks that this is for the domain www.yahoo.com, and so it uses the cookies from that domain. However AnalogX thinks that this is for the domain www.yahoo.com<script>alert(document.cookie)</script> Unless you have very fucked up DNS this won't resolve to anything and AnalogX will return an error page containing the script. Now if you're a smart hacker you can create a chain of redirects using your server and the XSS urls, bounce the target to a whole host of urls and steal all their cookies, find those Domains for which the user has set low security settings and exploit these if you like. Or whatever you want to accomplish with your newfound global XSS prowess. Chris Sharp __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Powered by blists - more mailing lists