mailing list archives
Application validation on defensivethinking.com
From: jamie fisher <contact_jamie_fisher () yahoo co uk>
Date: Tue, 27 Jul 2004 19:48:48 +0100 (BST)
I've noticed some issues with respect to the way some of defensivethinking's web pages handle and validate (or rather
not validate) scripts.
Parameter: strFirstName=admin -> strFirstName=>"'><script>alert('Look mummy I'm on Big Kev's web site')</script>
Parameter: strFirstName=admin ->
Parameter: strFirstName=admin ->
Customer session and cookies are compromised. The attacker may be able to pose as a legitimate user to view and alter
user records, and perform transactions as that user.
There are three parties involved in this attack:
(A) - is an attacker. He/she may know the identity of "B", and the structure of site "C".
(B) - is the victim user (of web-site "C").
(C) - is the vulnerable web-site.
The attack is basically a privacy violation. The attacker (A) gains the victim user (B)'s credentials at the vulnerable
site (C). When the site involved is vulnerable, it is possible to steal credentials from its users. It is not possible
to gain information regarding other sites, so (C)'s vulnerability affects only (C)'s customers.
The attack hinges on the fact that the web-site (C) has a script that returns user input (usually a parameter value,
but variants are discussed below) in an HTML page without first sanitizing the input. This allows an input consisting
code will be executed (by (B)'s browser) in (C) site context, granting it access to cookies (B) has for site (C), and
other windows in site (C) at browser (B).
The attack proceeds as following: The attacker (A) lures the legitimate user (B) to click on a link that was produced
by the attacker. When the user clicks on the link, this generates a request to the web-site (C) containing a parameter
is the essence of the site vulnerability), the malicious code will run in the user's browser (B).
Possible actions that can be performed by the script are:
 Sending the attacker the user cookies for the legitimate site
 Sending the attacker the current URLs of the legitimate site in which the user has an open window
This information is sent to the attacker (A), and thus the victim user "C"'s security (privacy) is compromised.
 Although the attacked web-site (C) is involved, it is not in itself compromised (in the narrow sense). It is only
used as a jump station for the malicious script (sent by the attacker) to return to the victim's browser (B) as if it
is legitimate. However, since the privacy of the victim (B) is breached in the context of site (C), and since site (C)
is directly responsible, it is considered a security flaw in site (C) (much like a weak session token would have been).
 The malicious link can be provided by (A) by via a web-site link (if (A) maintains a site that is visited by (B)),
or via email (if (A) knows (B)'s email address, and if (B)'s email client uses the browser to render the HTML message).
 While user input is most commonly found in form field values (i.e. URL parameters), there are known attacks where
the malicious code is embedded in the path, or in the HTTP Referer headers, and even in cookies.
Response from defensivethinking.com and Kevin Mitnick:
No response received.
I don't think Kevin and I are friends any more.
Hi to the Vodalads - except Lee Power who couldn't secure a personality.
References And Relevant Links
CERT Advisory CA-2000-02
Microsoft HOWTO: Prevent Cross-Site Scripting Security Issues (Q252985)
Microsoft Technet "Cross-site Scripting Overview"
ALL-NEW Yahoo! Messenger - all new features - even more fun!
- Application validation on defensivethinking.com jamie fisher (Jul 27)