Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Exploiting XSS
From: anj <andykin () privatei com>
Date: Mon, 08 Dec 2008 08:26:43 -0700

White Hat and List,

XSS was one of those things that it took me a while to get my head around, and something that will continue to evolve as a serious concern for companies trying to protect important assets for quite some time.

In this article outlining a cyberattack on the Pentagon's network from April of this year (http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm), there is a little blurb that caught my attention:

"....—proved so nettlesome that the White House shut off aides' access to the Web site for more than six months, says a cyber security specialist familiar with the incident. The Defense Dept. shut the door for even longer. Computer security investigators, one of whom spoke with BusinessWeek, identified the culprit: a few lines of Java script buried in AEI's home page..."

At BlueHat this year, Manuel Caballero's presentation yeilded the following comment from a reviewer: "Resident Scripts have put the fear of God into me. Wheeas a normal cross-site scripting attack vectors is great for the site that was cross-site scripted, it stopped there; it couldn't follow you off-domain. Manuel's can. Scary." Read more here: http://blogs.technet.com/bluehat/archive/2008/05/06/can-i-interest-you-in-a-glass-of-berry-blue-kool-aid-a-recap-of-bluehat-v7.aspx

Also, new vectors for XSS are being discovered (this one from September of this year: http://www.thespanner.co.uk/2008/08/26/new-xss-vector/).

So in short, the answer that you're looking for isn't the one I'm going to give you...you need a good understanding of the programming languages being used to develop the site(s), especially JavaScript. I've learned more about XSS by putting up a malicious proof-of-concept web site, and then another in several different languages that had to be protected. You'll need to understand the differences in hosting a site that offers malicious JavaScript and hosts the cookie-stealing aspects of a site, and the site being XSS'd. You'll also need to understand languages such as Flash/ActionScript and SilverLight.

This brings up my last point....what happens when you use one of the follow up postings or tools provided in this forum to demonstrate additional risk to your customer, and that customer requests your assistance in mitigating the vulnerability? Better brush up on your SQL and web application language of your customer's choice.

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]