Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
January 19, 2020
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 349
Members: 0
Total: 349
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Cross-site scripting aka XSS -> What's bad about XSS?
Post new topic  Reply to topic View previous topic :: View next topic 
What's bad about XSS?
PostPosted: Tue May 25, 2004 5:45 pm Reply with quote
Rik
Beginner
Beginner
 
Joined: May 25, 2004
Posts: 1




Can one explain what is so bad (for webmasters) about XSS?
So you can change the title of a webpage for example, big deal! I'm sure that's not a very good example but please give me an example that makes me scared of XSS as being a webmaster. Smile
View user's profile Send private message
PostPosted: Tue May 25, 2004 7:11 pm Reply with quote
Tora
Regular user
Regular user
 
Joined: May 19, 2004
Posts: 9
Location: Germany




Hi Smile

Example:
on a phpNuke page you can steal the cookie from the Admin.
In this Cookie is the password-hash includet.
With this hash you can manipulate an own cookie and login as Admin on this site.

sorry for my bad english, i think waraxe can it better describe Wink
View user's profile Send private message Visit poster's website
Re: What's bad about XSS?
PostPosted: Tue May 25, 2004 8:27 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Rik wrote:
Can one explain what is so bad (for webmasters) about XSS?
So you can change the title of a webpage for example, big deal! I'm sure that's not a very good example but please give me an example that makes me scared of XSS as being a webmaster. Smile


Cookie stealing is main reason behind the fear of XSS, because cookies can contain information which identifies clients. If you steal that
information, you can pretend to be someone else (ID theft basically)
and this is definately not good Smile
What else can be done with XSS? Well, think about it - webbrowsers
are written in such a way that any scripting operations (javascript mostly,
but vbscript too in fact) are all the time controlled against cross-domain
security restrictions. For example - you will surf to some "malicious site"
(like some warez site, etc) and then let browser window be open in
background, and in same time you log on to yahoo/hotmail mailbox. Or
even to internet bank. Now think - what if that background malicious
webpage runs some javascript, which logs all your keystrokes -
including usernames and passwords, reads other webpage form data, etc.
You got it already... Shocked
Relax - this is practically impossible, and that is thanks to above mentioned cross-site (cross-domain) restrictions.
Now comes XSS - lets assume, that webmail service provider, or even
online bank webpage has XSS flaws. Then malicious webmasters can
write script to do all the harmful stuff I mention above, and that's because
they can INJECT javascript code TO OTHER WEBSITE CODE, therefore
effectively bypassing all the browser-based security restrictions.
Remark - clipboard data has alway been a weak point of IE. Any website
can use javascript, that reads clipboard content, so if you do copy-paste
with some sensitive data - it could be stolen...
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon May 31, 2004 4:51 am Reply with quote
b0ilz
Regular user
Regular user
 
Joined: May 31, 2004
Posts: 10




here is post from text avaliable at http://www.governmentsecurity.org/articles/HackingWithJavascript.php Please check out the links to http://online.securityfocus/archive/82/* they contain many ways xss can be a problem.

Quote:
There are almost unlimited ways javascript can be used to make an attack. For more ways look at the thread in bugtraq started on Mar 16 2002 by zeroboy@arrakis.es

http://online.securityfocus.com/archive/82/262341

The following are the replies which actually stat something true or useful. Most posts in this thread were confusing XSS with remote file writing, also some things people said were just wrong. But there are some good ones.

http://online.securityfocus.com/archive/82/262346
http://online.securityfocus.com/archive/82/262512
http://online.securityfocus.com/archive/82/262957
http://online.securityfocus.com/archive/82/263218
http://online.securityfocus.com/archive/82/263406

I might get alot of flack for this, but I feel that XSS is currently over hyped. People are sending advisories to bugtraq saying that sites and scripts are vulnerable to XSS when there is no real security concern. I feel that XSS is only a valid security problem if it can be used to gain access to something protected. Instead of blaming XSS for the problems, I would blame doing things which allow XSS to be abused. Things such as storing username and passwords in cookies, allowing logged in users to access or changes things without resubmitting a password, or having the session id somewhere accessable to client side scripting. Now I am not saying XSS isn't a security problem, but it requires another variable to be abused. In many instances XSS is not a security concern at all, and other times when it is a problem the script should fix the other variables which XSS can abuse. Many XSS attacks require alot of social engineering to work, so exploitation is trival. This is not a reason to say XSS isn't a problem, but it helps people realize that it isn't as big a threat as some people believe. XSS is just too common a problem and too hard to stop, instead I suggest focusing on keeping things secure even if XSS is possible. XSS is a security problem, and it is being abused everyday... but currently people are going alittle nuts about it. What I am trying to say is: don't just blame XSS as the only problem when you store username and passwords in the user's cookie, in this case the overall script design is poor.
View user's profile Send private message
PostPosted: Fri Jun 11, 2004 5:20 pm Reply with quote
morniing_wood
Beginner
Beginner
 
Joined: Jun 11, 2004
Posts: 1




xss can be used very successfully in phishing attacks, esp with the *new* urlbar hiding in IE


m.wood
http://exploitlabs.com
View user's profile Send private message
PostPosted: Fri Feb 04, 2005 4:51 am Reply with quote
Lostmon
Regular user
Regular user
 
Joined: Jul 24, 2004
Posts: 6
Location: spain




Not only Cookie stealing, for XSS only need imagination and look so many caracters can insert in the form or in the variable whats permit XSS
some variables only acept html injection ,other html&javascript injection.

if the atacker look for good work , no go to make phishing on the site if you think for example in html you can inser a iframe and execute all the conten injected inside
for exaple http://[target]/file.php?variable_vulnerable=value"><iframe src="../../etc/passwd"></iframe> no explain what source of iframe can be a xploit a php file a js etc... and can comming form a the same server or a remote server if the configuration permits.

XSS is not only for Looking whats change in the web ... is a big securiti hole and whith imagination and science you can got some important information about the site.

2 you can spoff the site and go for exaple to google and add this spoffed links.

_________________
--
La curiosidad es lo que hace mover la mente
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Feb 05, 2005 2:35 am Reply with quote
LINUX
Moderator
Moderator
 
Joined: May 24, 2004
Posts: 404
Location: Caiman




pfff need more visit this site my friend http://www.shocking.com/~rsnake/xss.html
View user's profile Send private message Visit poster's website
PostPosted: Sat Apr 02, 2005 3:03 pm Reply with quote
aracnet
Beginner
Beginner
 
Joined: Dec 06, 2004
Posts: 1




is strip_tags() of php for input dn is good enough againts xss?and nl2br() for out put.(so simple texts may be,but is not it more secure?)

Also if site is using htmlentities() or htmlspecialchars() for output of the data from DB still am i have a change to bybass them?
View user's profile Send private message
What's bad about XSS?
  www.waraxe.us Forum Index -> Cross-site scripting aka XSS
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.089 Seconds