mailing list archives
Cross Site Scripting holes abound
From: <security () devitry com>
Date: 17 Nov 2001 02:05:53 -0000
::: Summary ::::
Over a year and a half since CERT issued
warning on Cross Site Scripting, most dynamic
websites are _still_ not filtering user input. This
lets remote sites access to write scripts on vunlerable
sites, stealing cookies, performing actions on behalf
of user or modifying look of content on site. I did a
check of the top 15 sites (and other sites I use) and
found holes in _most_ of them.
::: Sites Affected :::
... many more not listed....
::: Details ::::
In general, if you can replace any url parameter with
and you get an alert, the site may be vulnerable.
Samples and details listed at
The samples on the above site take it one step
futher and send the cookie data to another site.
Even https sites are vulnerable since cookie data
:::: Fix :::::
You should validate or filter all user input, including
hidden form fields and id's passed in url's before
the data is written out to the page. Any poorly
written script on your whole domain could give you
problems. (even old ones that do nothing like
testenv) Filtering or encoding is should be done
for ", >, < and sometimes '
You should monitor for "script" passed in url's to
your site... However, blocking in the url alone
is not good enough as the parameter could be passed
in "POST" data.
For sites that have your data, you should always
log out at the end of your session, and you should
not surf more then one site at a time.
::: Discussion :::
Most of these holes were discovered in a matter of
minutes. It takes more time just to find out the owner
of the site and explain to them why this is a problem.
Is there anyway to fix this on a more global basis?
While these types of holes are not instantly mass
exploitable, it is good (or bad, depending on how you
look at it) for targeting specify users and sites to
steal sessions and personal info.
security () devitry com
ps. microsoft.com exploit url withheld because they
think they are safer that way.
pps. all websites involved were contacted, but most
had no timely reply.
- Cross Site Scripting holes abound security (Nov 19)