[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] on xss and its technical merit



so who won?  can we argue about CSRF yet?  perhaps an interlude with
0day or !0day moderated by Gadi...


On Nov 5, 2007 12:00 AM, pdp (architect) <pdp.gnucitizen@xxxxxxxxxxxxxx> wrote:
> comments inlined

hey look i top posted


<pdp> we are not talking about whether XSS is suitable for all kinds of
<pdp> attacks. We are talking about the technical merits of XSS.

so some exploit techniques are impressive on their own, regardless of
any other context, like check heaps evasion.  suitable for very
little/few real world attacks, but still worthwhile / notable.


<pdp> There are XSS script kiddies as well Buffer Overflow script kiddies.
<pdp> Just because you can find XSS does not mean that you've done something
<pdp> amazing and extraordinary.

so xss needs more than just to exist.  it needs to be unique or
notable among xss, perhaps by leveraging for escalation, or previously
unknown vector to deliver it...

<pdp> BTW, it does look like an achievement when you find a XSS inside an
<pdp> application that 1000 more people play with (look for similar bugs) on
<pdp> a daily basis. XSS in some small apps are stupid. XSS on the default
<pdp> Google Search Interface is as valuable as remotely exploitable buffer
<pdp> overflow for Linux 2.6.x kernels (distribution independent).

a researcher discovers an xss vector in a google service, it is likely
notable and/or interesting because they protect against (most) known
attacks.  this can be a useful metric.  "is your xss against google,
microsoft, yahoo, ebay?  if not, think twice about its merit..."


<reepex> yes and i guess bad for you is that the only xss you really
see posted (fd,
<reepex> milw0rm, security focus) is people posting <script>alert('hi')</script>

i thought it was <script>alert('XSS')</script> ...  oh hey, if you see
message "XSS" you got pwnies and i get credit.  ok? ok!

to help the cause, consider this snippet:
- doRequest() is your usual ajax helper provided by target site/service
- /account/doreset is the URL for service that provides "reset my
account" feature
- doreset uses ok to confirm user action, "are you sure?" ok=1

<DIV STYLE="width:
expression(doRequest('/account/doreset?ok=1&session='+document.cookie.substring(10,36),'GET')+doRequest('logout','GET')+alert('OMG
pwnies'));">

some fun details: the confirm reset action requires the session cookie
to verify against in attempt to avoid easy CSRF and friends.  the
usual script elements are heavily filtered by service, but hey, IE is
friendly with expression that squeaks through form filter...

end result: target account reset, logged off, and browser displays
endless popups until they kill or reboot.  this is more than
<script>alert('XSS')</script>, but still not fucking check heaps.

btw, same snippet to pull session cookie can be used for session
hijack (read according to same origin, post to anywhere for pick up
and hijack...)  is hijacking of active session more interesting?
perhaps...

you get the picture.  by now, all the low hanging fruit for xss is
eaten.  so perhaps "xss should be discussed much less" is the only
concrete thing we all agree on?



<reepex> also (unless im missing) something in another email you
mentioned like 15
<reepex> different kinds of xss which I am sure are all interesting in
their own way
<reepex> but the most you can get out of them is simple browser games.

<pdp> As I said, this is not the case. Chrome based XSS, we covered a few in
<pdp> the XSS book I believe, are very different, for example. In some case
<pdp> the XSS vector resides inside a Sandbox. Now you need to find a way to
<pdp> get out of the sandbox and and as such reaching again the browser
<pdp> internals. Flash based XSS can lead to a lot of damages especially
<pdp> when combined with something like desktop AIR applications which are
<pdp> granted with full control over the client machine. AIR also can run
<pdp> HTML pages which also can lead to evalated privilages and as such
<pdp> access to the system. What about desktop and mobile Widgets?

back to uniqueness / clever method, all of which these many are now old news.

they were legitimately discussed when discovered.  no need to hash
over the same tricks... next xss post to FD better be new and sexy or
reepex shoots you in the face.

criteria for xss vuln poster to live:

if xss...
- is in major site / service  AND/OR
- uses previously unknown vector for attack  AND/OR
- is combined with other methods for impressive result
...you get to live. for today...


all those in favor let this thread die in silence.
    the aye's have it. meeting adjourned.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/