|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
What's bad about XSS? |
|
Posted: Tue May 25, 2004 5:45 pm |
|
|
Rik |
Beginner |
|
|
Joined: May 25, 2004 |
Posts: 1 |
|
|
|
|
|
|
|
Can one explain what is so bad (for webmasters) about XSS?
So you can change the title of a webpage for example, big deal! I'm sure that's not a very good example but please give me an example that makes me scared of XSS as being a webmaster. |
|
|
|
|
Posted: Tue May 25, 2004 7:11 pm |
|
|
Tora |
Regular user |
|
|
Joined: May 19, 2004 |
Posts: 9 |
Location: Germany |
|
|
|
|
|
|
Hi
Example:
on a phpNuke page you can steal the cookie from the Admin.
In this Cookie is the password-hash includet.
With this hash you can manipulate an own cookie and login as Admin on this site.
sorry for my bad english, i think waraxe can it better describe |
|
|
|
|
|
Re: What's bad about XSS? |
|
Posted: Tue May 25, 2004 8:27 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Rik wrote: | Can one explain what is so bad (for webmasters) about XSS?
So you can change the title of a webpage for example, big deal! I'm sure that's not a very good example but please give me an example that makes me scared of XSS as being a webmaster. |
Cookie stealing is main reason behind the fear of XSS, because cookies can contain information which identifies clients. If you steal that
information, you can pretend to be someone else (ID theft basically)
and this is definately not good
What else can be done with XSS? Well, think about it - webbrowsers
are written in such a way that any scripting operations (javascript mostly,
but vbscript too in fact) are all the time controlled against cross-domain
security restrictions. For example - you will surf to some "malicious site"
(like some warez site, etc) and then let browser window be open in
background, and in same time you log on to yahoo/hotmail mailbox. Or
even to internet bank. Now think - what if that background malicious
webpage runs some javascript, which logs all your keystrokes -
including usernames and passwords, reads other webpage form data, etc.
You got it already...
Relax - this is practically impossible, and that is thanks to above mentioned cross-site (cross-domain) restrictions.
Now comes XSS - lets assume, that webmail service provider, or even
online bank webpage has XSS flaws. Then malicious webmasters can
write script to do all the harmful stuff I mention above, and that's because
they can INJECT javascript code TO OTHER WEBSITE CODE, therefore
effectively bypassing all the browser-based security restrictions.
Remark - clipboard data has alway been a weak point of IE. Any website
can use javascript, that reads clipboard content, so if you do copy-paste
with some sensitive data - it could be stolen... |
|
|
|
|
|
|
|
|
Posted: Mon May 31, 2004 4:51 am |
|
|
b0ilz |
Regular user |
|
|
Joined: May 31, 2004 |
Posts: 10 |
|
|
|
|
|
|
|
here is post from text avaliable at http://www.governmentsecurity.org/articles/HackingWithJavascript.php Please check out the links to http://online.securityfocus/archive/82/* they contain many ways xss can be a problem.
Quote: | There are almost unlimited ways javascript can be used to make an attack. For more ways look at the thread in bugtraq started on Mar 16 2002 by zeroboy@arrakis.es
http://online.securityfocus.com/archive/82/262341
The following are the replies which actually stat something true or useful. Most posts in this thread were confusing XSS with remote file writing, also some things people said were just wrong. But there are some good ones.
http://online.securityfocus.com/archive/82/262346
http://online.securityfocus.com/archive/82/262512
http://online.securityfocus.com/archive/82/262957
http://online.securityfocus.com/archive/82/263218
http://online.securityfocus.com/archive/82/263406
I might get alot of flack for this, but I feel that XSS is currently over hyped. People are sending advisories to bugtraq saying that sites and scripts are vulnerable to XSS when there is no real security concern. I feel that XSS is only a valid security problem if it can be used to gain access to something protected. Instead of blaming XSS for the problems, I would blame doing things which allow XSS to be abused. Things such as storing username and passwords in cookies, allowing logged in users to access or changes things without resubmitting a password, or having the session id somewhere accessable to client side scripting. Now I am not saying XSS isn't a security problem, but it requires another variable to be abused. In many instances XSS is not a security concern at all, and other times when it is a problem the script should fix the other variables which XSS can abuse. Many XSS attacks require alot of social engineering to work, so exploitation is trival. This is not a reason to say XSS isn't a problem, but it helps people realize that it isn't as big a threat as some people believe. XSS is just too common a problem and too hard to stop, instead I suggest focusing on keeping things secure even if XSS is possible. XSS is a security problem, and it is being abused everyday... but currently people are going alittle nuts about it. What I am trying to say is: don't just blame XSS as the only problem when you store username and passwords in the user's cookie, in this case the overall script design is poor.
|
|
|
|
|
|
|
|
|
|
Posted: Fri Jun 11, 2004 5:20 pm |
|
|
morniing_wood |
Beginner |
|
|
Joined: Jun 11, 2004 |
Posts: 1 |
|
|
|
|
|
|
|
xss can be used very successfully in phishing attacks, esp with the *new* urlbar hiding in IE
m.wood
http://exploitlabs.com |
|
|
|
|
|
|
|
|
Posted: Fri Feb 04, 2005 4:51 am |
|
|
Lostmon |
Regular user |
|
|
Joined: Jul 24, 2004 |
Posts: 6 |
Location: spain |
|
|
|
|
|
|
Not only Cookie stealing, for XSS only need imagination and look so many caracters can insert in the form or in the variable whats permit XSS
some variables only acept html injection ,other html&javascript injection.
if the atacker look for good work , no go to make phishing on the site if you think for example in html you can inser a iframe and execute all the conten injected inside
for exaple http://[target]/file.php?variable_vulnerable=value"><iframe src="../../etc/passwd"></iframe> no explain what source of iframe can be a xploit a php file a js etc... and can comming form a the same server or a remote server if the configuration permits.
XSS is not only for Looking whats change in the web ... is a big securiti hole and whith imagination and science you can got some important information about the site.
2 you can spoff the site and go for exaple to google and add this spoffed links. |
|
_________________ --
La curiosidad es lo que hace mover la mente |
|
|
|
|
|
|
|
Posted: Sat Feb 05, 2005 2:35 am |
|
|
LINUX |
Moderator |
|
|
Joined: May 24, 2004 |
Posts: 404 |
Location: Caiman |
|
|
|
|
|
|
|
|
|
|
Posted: Sat Apr 02, 2005 3:03 pm |
|
|
aracnet |
Beginner |
|
|
Joined: Dec 06, 2004 |
Posts: 1 |
|
|
|
|
|
|
|
is strip_tags() of php for input dn is good enough againts xss?and nl2br() for out put.(so simple texts may be,but is not it more secure?)
Also if site is using htmlentities() or htmlspecialchars() for output of the data from DB still am i have a change to bybass them? |
|
|
|
|
www.waraxe.us Forum Index -> Cross-site scripting aka XSS
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|