Re: [Full-disclosure] Google is vulnerable from XSS attack

[bugtraq@xxxxxxxxxxxxxxx]

> So how about a real world attack scenario for this.  This is one of
> the lamest vulns I have ever seen.

Until about a year ago, I'd have to agree with you. A lot of uses for XSS have 
been researched in the last year
including a few new ways to use it make it 'useful'. Not only can you do 
standard cookie hijacking with XSS, but combined with
browser flaws XSS 'could' (in certain situations) be used to help portscan and 
possible exploit(carry exploit payloads) a backend network 
behind a firewall (to the user visiting the XSS'd link), as well as gather 
Basic Auth credentials(or other headers) via XST attacks.

Jeremiah Grossman presented at blackhat and showed that it's possible to 
capture keystrokes from a user that has visited a 'XSS'd' link as
well as have bidirectional communication with them. Functionality such as 
xmlhttp can greatly expand the usefulness of Cross Site Scripting.  

The Cross Site Scripting FAQ
http://www.cgisecurity.com/articles/xss-faq.shtml

Cross-Site Tracing (XST) (Official Mirror)
http://www.cgisecurity.com/lib/WH-WhitePaper_XST_ebook.pdf

AJAX (Asynchronous Javascript and XML) Links
http://www.cgisecurity.com/ajax/

Jeremiah's blackhat talk
http://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-grossman.pdf

XSS is 'starting' to get fairly useful.

Regards,

- admin@xxxxxxxxxxxxxxx
http://www.cgisecurity.com/          (Web Security News, and More!)
http://www.cgisecurity.com/index.rss (Web Security News RSS Feed)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/