Penetration Testing: Re: Exploiting XSS

[anj <andykin () privatei com>]

White Hat and List,

XSS was one of those things that it took me a while to get my head 
around, and something that will continue to evolve as a serious concern 
for companies trying to protect important assets for quite some time.
In this article outlining a cyberattack on the Pentagon's network from 
April of this year 
(http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm), 
there is a little blurb that caught my attention:
"....—proved so nettlesome that the White House shut off aides' access 
to the Web site for more than six months, says a cyber security 
specialist familiar with the incident. The Defense Dept. shut the door 
for even longer. Computer security investigators, one of whom spoke with 
BusinessWeek, identified the culprit: a few lines of Java script buried 
in AEI's home page..."
At BlueHat this year, Manuel Caballero's presentation yeilded the 
following comment from a reviewer:
"Resident Scripts have put the fear of God into me. Wheeas a normal 
cross-site scripting attack vectors is great for the site that was 
cross-site scripted, it stopped there; it couldn't follow you 
off-domain. Manuel's can. Scary." Read more here: 
http://blogs.technet.com/bluehat/archive/2008/05/06/can-i-interest-you-in-a-glass-of-berry-blue-kool-aid-a-recap-of-bluehat-v7.aspx
Also, new vectors for XSS are being discovered (this one from September 
of this year: http://www.thespanner.co.uk/2008/08/26/new-xss-vector/).
So in short, the answer that you're looking for isn't the one I'm going 
to give you...you need a good understanding of the programming languages 
being used to develop the site(s), especially JavaScript. I've learned 
more about XSS by putting up a malicious proof-of-concept web site, and 
then another in several different languages that had to be protected. 
You'll need to understand the differences in hosting a site that offers 
malicious JavaScript and hosts the cookie-stealing aspects of a site, 
and the site being XSS'd. You'll also need to understand languages such 
as Flash/ActionScript and SilverLight.
This brings up my last point....what happens when you use one of the 
follow up postings or tools provided in this forum to demonstrate 
additional risk to your customer, and that customer requests your 
assistance in mitigating the vulnerability? Better brush up on your SQL 
and web application language of your customer's choice.










------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------