[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Self-contained XSS Attacks (the new generation of XSS)

To: tim-security@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Self-contained XSS Attacks (the new generation of XSS)
From: "Ron Jennings" <ronj@xxxxxxxxxxxxxxxxxx>
Date: Sun, 24 Sep 2006 08:43:16 +0000

<html><div style='background-color:'><P><BR>Hi Tim,</P>
<P>&nbsp;&nbsp; You make a great point. &nbsp;</P><BR><BR><BR>
<DIV>
<P><FONT size=1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;Ron Jennings, 
&nbsp;NCIE SSP&nbsp;</FONT></P>
<P><FONT color=#003399>&nbsp;&nbsp;&nbsp;<FONT size=2>Chaser Security- A Microsoft 
Partner</FONT></FONT></P>
<P><FONT color=#003399 size=2>&nbsp; Cell:559.360.2340 24hr.customer 
service</FONT></P>
<P><FONT color=#003399 size=2>&nbsp; VOIP:562.365.1295 </FONT></P></DIV>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #a0c6e5 2px solid; MARGIN-RIGHT: 
0px"><FONT style="FONT-SIZE: 11px; FONT-FAMILY: tahoma,sans-serif">
<HR color=#a0c6e5 SIZE=1>

From: Tim <tim-security@xxxxxxxxxxxxxxxxxxx> To: "pdp (architect)" <pdp.gnucitizen@xxxxxxxxxxxxxx> CC: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx,webappsec@xxxxxxxxxxxxxxxxx, websecurity@xxxxxxxxxxxxx Subject: Re: [Full-disclosure] Self-contained XSS Attacks (the new generation of XSS) Date: Fri, 22 Sep 2006 10:03:11 -0400 > >Hello pdp, > > > http://www.gnucitizen.org/blog/self-contained-xss-attacks > > > > XSS attacks can be persistent and non-persistent. Persistent XSS is > > more dangerous since it allow attackers to control exploited clients > > for longer. On the other hand non-persistent XSS is considered less > > dangerous although it has been widely used in many phishing attempts. > > > > In this article I willexpose some of my findings around a new attack > > vector which is of type non-persistent XSS but a lot more dangerous > > than the persistent one. > > > > Some of you might be familiar with this attack vector; this subject > > has been covered very vaguely in the past and none of its full > > potentials has been explored. The impact of this attack is much bigger > > today and could affect many web applications. > >This is a very interesting vector. However, I would argue that it is >not a new class of XSS. Generally, the classes have been defined based >on where the injected data flows from, not how it is injected in the >page. > >For instance, stored or persistent XSS comes from an attacker via one >communication, gets saved on the server, and is later reproducedto >another user. Reflected is generally embedded in a link, sent to a >victim, which a victim then sends to the webserver and is reflected back >to achieve injection. DOM-based is similar, but does not need to flow >to the webserver before coming back to get injected. I personally label >these three classes Type 2, Type 1 and Type 0 respectively, in order to >reduce confusion about terminology [1]. > >All three of these scenarios could be used with your injection vector. >A server side script could store the URL supplied by an attacker, and >later present it to a victim, thus making it persistent. Similarly, a >document.write() call could be exploited to inject a data: link, even if >the typical dangerous characters (', ", <, >, etc) were handled. > >Don't get me wrong... I really like the vector,and what you've brought >to the list. I just don't think it should be considered another class. > >cheers, >tim > > >1. http://en.wikipedia.org/wiki/XSS > >------------------------------------------------------------------------- >Sponsored by: Watchfire > >Cross-Site Scripting (XSS) is one of the most common application-level >attacks that hackers use to sneak into web applications today. This >whitepaper will discuss how traditional CSS attacks are performed, how to >secure your site against these attacks and check if your site is protected. >Cross-Site Scripting Explained - Download this whitepaper today! > >https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr >-------------------------------------------------------------------------- > </BLOCKQUOTE></div></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] Self-contained XSS Attacks (the new generation of XSS)
  - From: Tim

Prev by Date: Re: [Full-disclosure] Windows Automatic Gringo ZaW!
Next by Date: Re: [Full-disclosure] Windows Automatic Gringo ZaW!
Previous by thread: Re: [Full-disclosure] Self-contained XSS Attacks (the new generation of XSS)
Next by thread: [Full-disclosure] [Call for Papers] DIMVA 2007
Index(es):
- Date
- Thread