Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Fwd: CERT Advisory CA-2000-02
From: regs () NEBCORP COM (Ari Gordon-Schlosberg)
Date: Thu, 3 Feb 2000 14:17:12 -0600

[Shockro () AOL COM]
I'm curious as to how this could be used in a malicious manner, as opposed to
just being an annoyance.  I mean, god forbid, people should execute arbitrary
javascript on us.  Yes, we've all seen the file upload form exploit and the
1001 ways to crash Internet Explorer through infinite loops, but there's
nothing seriously harmful about this, am I right?  Please correct me if I'm

Yes, you are wrong. :)

Let me explain: the javascript issue is not a huge one, although there are
some issues. I don't know enough about javascript to get into it.

I think the best example of where this could be a problem would on a site
like amazon.com.  If I can inject HTML into my customer review, I can start
reaping passwords or credit card numbers.  By studying the format of the
amazon HTML, I can make it look like I inserted some sort of prize form
into the web page: I ask for their username and password and they press
submit... that then posts to a cgi on my server.  Boom!  I have their
account.  Or I embed an applet, the net result being the same.  This is a
real issue.

Basically, it boils down the fact that most users will assume that any
HTML/Applet/form/script that shows up on a foo.com webpage was authored by
someone at foo.com, and any information that they send via their web
browser will be going to and only to foo.com.  Injection of an attacker's
HTML into a a foo.com webpage can exploit this assumption to steal
sensitive information.

Ari                                                     there is no spoon
http://www.nebcorp.com/~regs/pgp for PGP public key

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]