Waraxe IT Security Portal
Login or Register
November 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 74
Members: 0
Total: 74
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Cross-site scripting aka XSS -> What's bad about XSS?
Post new topicReply to topic View previous topic :: View next topic
What's bad about XSS?
PostPosted: Tue May 25, 2004 5:45 pm Reply with quote
Rik
Beginner
Beginner
Joined: May 25, 2004
Posts: 1




Can one explain what is so bad (for webmasters) about XSS?
So you can change the title of a webpage for example, big deal! I'm sure that's not a very good example but please give me an example that makes me scared of XSS as being a webmaster. Smile
View user's profile Send private message
PostPosted: Tue May 25, 2004 7:11 pm Reply with quote
Tora
Regular user
Regular user
Joined: May 19, 2004
Posts: 9
Location: Germany




Hi Smile

Example:
on a phpNuke page you can steal the cookie from the Admin.
In this Cookie is the password-hash includet.
With this hash you can manipulate an own cookie and login as Admin on this site.

sorry for my bad english, i think waraxe can it better describe Wink
View user's profile Send private message Visit poster's website
Re: What's bad about XSS?
PostPosted: Tue May 25, 2004 8:27 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Rik wrote:
Can one explain what is so bad (for webmasters) about XSS?
So you can change the title of a webpage for example, big deal! I'm sure that's not a very good example but please give me an example that makes me scared of XSS as being a webmaster. Smile


Cookie stealing is main reason behind the fear of XSS, because cookies can contain information which identifies clients. If you steal that
information, you can pretend to be someone else (ID theft basically)
and this is definately not good Smile
What else can be done with XSS? Well, think about it - webbrowsers
are written in such a way that any scripting operations (javascript mostly,
but vbscript too in fact) are all the time controlled against cross-domain
security restrictions. For example - you will surf to some "malicious site"
(like some warez site, etc) and then let browser window be open in
background, and in same time you log on to yahoo/hotmail mailbox. Or
even to internet bank. Now think - what if that background malicious
webpage runs some javascript, which logs all your keystrokes -
including usernames and passwords, reads other webpage form data, etc.
You got it already... Shocked
Relax - this is practically impossible, and that is thanks to above mentioned cross-site (cross-domain) restrictions.
Now comes XSS - lets assume, that webmail service provider, or even
online bank webpage has XSS flaws. Then malicious webmasters can
write script to do all the harmful stuff I mention above, and that's because
they can INJECT javascript code TO OTHER WEBSITE CODE, therefore
effectively bypassing all the browser-based security restrictions.
Remark - clipboard data has alway been a weak point of IE. Any website
can use javascript, that reads clipboard content, so if you do copy-paste
with some sensitive data - it could be stolen...
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon May 31, 2004 4:51 am Reply with quote
b0ilz
Regular user
Regular user
Joined: May 31, 2004
Posts: 10




here is post from text avaliable at http://www.governmentsecurity.org/articles/HackingWithJavascript.php Please check out the links to http://online.securityfocus/archive/82/* they contain many ways xss can be a problem.

Quote:
There are almost unlimited ways javascript can be used to make an attack. For more ways look at the thread in bugtraq started on Mar 16 2002 by zeroboy@arrakis.es

http://online.securityfocus.com/archive/82/262341

The following are the replies which actually stat something true or useful. Most posts in this thread were confusing XSS with remote file writing, also some things people said were just wrong. But there are some good ones.

http://online.securityfocus.com/archive/82/262346
http://online.securityfocus.com/archive/82/262512
http://online.securityfocus.com/archive/82/262957
http://online.securityfocus.com/archive/82/263218
http://online.securityfocus.com/archive/82/263406

I might get alot of flack for this, but I feel that XSS is currently over hyped. People are sending advisories to bugtraq saying that sites and scripts are vulnerable to XSS when there is no real security concern. I feel that XSS is only a valid security problem if it can be used to gain access to something protected. Instead of blaming XSS for the problems, I would blame doing things which allow XSS to be abused. Things such as storing username and passwords in cookies, allowing logged in users to access or changes things without resubmitting a password, or having the session id somewhere accessable to client side scripting. Now I am not saying XSS isn't a security problem, but it requires another variable to be abused. In many instances XSS is not a security concern at all, and other times when it is a problem the script should fix the other variables which XSS can abuse. Many XSS attacks require alot of social engineering to work, so exploitation is trival. This is not a reason to say XSS isn't a problem, but it helps people realize that it isn't as big a threat as some people believe. XSS is just too common a problem and too hard to stop, instead I suggest focusing on keeping things secure even if XSS is possible. XSS is a security problem, and it is being abused everyday... but currently people are going alittle nuts about it. What I am trying to say is: don't just blame XSS as the only problem when you store username and passwords in the user's cookie, in this case the overall script design is poor.
View user's profile Send private message
PostPosted: Fri Jun 11, 2004 5:20 pm Reply with quote
morniing_wood
Beginner
Beginner
Joined: Jun 11, 2004
Posts: 1




xss can be used very successfully in phishing attacks, esp with the *new* urlbar hiding in IE


m.wood
http://exploitlabs.com
View user's profile Send private message
PostPosted: Fri Feb 04, 2005 4:51 am Reply with quote
Lostmon
Regular user
Regular user
Joined: Jul 24, 2004
Posts: 6
Location: spain




Not only Cookie stealing, for XSS only need imagination and look so many caracters can insert in the form or in the variable whats permit XSS
some variables only acept html injection ,other html&javascript injection.

if the atacker look for good work , no go to make phishing on the site if you think for example in html you can inser a iframe and execute all the conten injected inside
for exaple http://[target]/file.php?variable_vulnerable=value"><iframe src="../../etc/passwd"></iframe> no explain what source of iframe can be a xploit a php file a js etc... and can comming form a the same server or a remote server if the configuration permits.

XSS is not only for Looking whats change in the web ... is a big securiti hole and whith imagination and science you can got some important information about the site.

2 you can spoff the site and go for exaple to google and add this spoffed links.

_________________
--
La curiosidad es lo que hace mover la mente
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Feb 05, 2005 2:35 am Reply with quote
LINUX
Moderator
Moderator
Joined: May 24, 2004
Posts: 404
Location: Caiman




pfff need more visit this site my friend http://www.shocking.com/~rsnake/xss.html
View user's profile Send private message Visit poster's website
PostPosted: Sat Apr 02, 2005 3:03 pm Reply with quote
aracnet
Beginner
Beginner
Joined: Dec 06, 2004
Posts: 1




is strip_tags() of php for input dn is good enough againts xss?and nl2br() for out put.(so simple texts may be,but is not it more secure?)

Also if site is using htmlentities() or htmlspecialchars() for output of the data from DB still am i have a change to bybass them?
View user's profile Send private message
What's bad about XSS?
www.waraxe.us Forum Index -> Cross-site scripting aka XSS
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.047 Seconds