[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: Advanced XSS paper and semi-new attack

That's an interesting paper! Some points I thought about while reading it:

* Many environments (PHP, Perl+CGI.pm) accept both POSTed and GETted data. At 
least in some circumstances, they just put it in a structure for incoming data 
without much regard for what HTTP method was used.

* Several HTML constructs (<img>, <frame>, <iframe>..) will make the web 
browser start fetching a URL as soon as the web browser sees it, without 
asking the user first. In environments where there is either an XSS problem or 
an HTML filter that allows these constructs, they can be used for either:

a) performing actions in a web application under other people's names. For 
example, <img src="password-change.php?new=client&amp;again=client">

b) using someone else as a proxy for cracking into some server. For example, 

* An additional difficulty is that web browsers accept redirects for images, 
so someone could include an image ostensibly pointing to a PNG image on their 
server but which immediately redirects to a mail sending script at your server.

* This evil redirect problem isn't just related to XSS and such things. It can 
also be used together with social engineering. If people see an interesting 
link and click it, they don't expect the link to redirect back to the web 
application that they're logged in to and do nasty things there, but it can 

(I'm not sure if this information was new or not, just some stuff I've had 
lying around in my notebooks for months without writing it up.)

Ulf Härnhammar, student, Uppsala Universitet

"My ideas / often hit / platform six at London Bridge / took a train /
 thought of you / only until Waterloo"
-- Vic Twenty, "Kiss You"

På spaning efter den webbransch som flytt

kses - PHP HTML/XHTML filter

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html