Home page logo

webappsec logo WebApp Sec mailing list archives

Re: myspace hack
From: Tom Gallagher <tom () SecurityBugHunter com>
Date: Fri, 14 Oct 2005 22:31:43 -0400

I talk with people about this issue often. I've heard people call it many names
- one is Same Site Scripting.  When this name is used, there is often a
misunderstanding by people unfamiliar with the name.  The problem stems from
people having different ideas of what a site is.  Some people think of a web
site a fully qualified domain name and all directories in it.  However, other
people treat different URLs under the same domain as different sites.  For
example: www.example.com/user1 and www.example.com/user2 are different sites.

I personally like to use Same Domain Scripting.  The reason is when we look at
browser/web client bugs, we often talk about cross domain access.  This issue
doesn't allow for cross domain access, but instead access within the same
domain through script.  These attacks often don't require XMLHttp.

Just a thought...

Quoting Tim Brown <tmb () 65535 com>:

On Friday 14 Oct 2005 15:29, Reynolds, Jake wrote:
I wouldn't consider this an XSS attack. Where in the attack did information
cross sites? This seems like it is an embedded XSS attack in that a
malicious script was entered into a profile in hopes that victims would
view and execute it. However, nothing was sent across sites via the script.
The vulnerability was a lack of output validation in my opinion, which is
the same vulnerability that an XSS attack would exploit. I don't know how
you would classify the attack... Probably "self-replicating session
riding". Yeah that has a nice FUD-factor to it.

I coined the term Same Site Scripting to describe the act of abusing
XMLHttpRequest whilst playing around with this attack vector for a paper I'm
writing.  Anyone have a better suggestion?

Tim Brown
<mailto:tmb () 65535 com>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]