Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Anatomy of Cross Site Scripting

Posted by CmdrTaco on from the vulnerabilities-are-lurking-everywhere dept.

LogError writes "Many documents discuss the actual insertion of HTML into a vulnerable script, but stop short of explaining the full ramifications of what can be done with a successful XSS attack. While this is adequate for prevention, the exact impact of cross site scripting attacks has not been fully appreciated. This paper will explore those possibilities."

8 of 208 comments (clear)

  1. Re:Text Version for People Who Hate PDFs by calethix · · Score: 1, Insightful

    How'd this get modded redundant? I only see 3 posts right now and if it wasn't for this one I wouldn't be able to read the paper because it appears to be slashdotted already.

  2. Short solution by Anonymous Coward · · Score: 5, Insightful

    Do not have a blacklist for denying invalid input. It's hell/impossible to maintain such blacklists

    Handle all user input as it was written by satan himself, and only allow input complying to your strict specification.

  3. Re:Booring by xchino · · Score: 4, Insightful

    I completely disagree. XSS is as dangerous if not more so than a buffer overflow, im many cases. Take this for example:

    Your target is one or more users of a community web site. The site itself isn't the target, only the means to your own ends. Remember, it's the users you are after, not the site itself. So you smash the stack on the server, grap the mySQL database, and open it up. Bummber, all the passwords are md5'd and basically useless. With XSS you could conceivably alter the login for that they get, and before md5($password) is executed you export $password (still in plain text) off to your little database.

    Cracking isn't about what is the most "exciting and leet" way to do it, it's about using the tools you have at your disposal to get what you want done, done. Sometimes this is a buffer overflow, sometimes it a XSS attack, sometimes an emailed trojan, and sometimes even social engineering to gain physical access (even via an unwitting human proxy).

    --
    Everyone is entitled to their own opinion. It's just that yours is stupid.
  4. Re:Static by jon3k · · Score: 2, Insightful

    -1 for captain obvious, here.

    Static web pages also went out with beta video cassettes.

  5. I learnt this lesson a long time ago. by Marak · · Score: 5, Insightful

    In high school for economics class we got to play a mock stock martket game (on the web). Well my stock market team consisted of myself and another CS student.

    On the website you would enter in the amount of stock, stock symbol, and BUY or SELL in a form. That form would POST to a confirmation page and from there you would click "TRADE" and it would post to some server side page to execute the trade. The fools that designed the site thought it would be a good idea to validate all the data on the confirmation page and NOT on the server side page. We created a local version of the initial confirmation page, changed the action of the form to "http://www.tradingsite.com/cgi-bin/trade.pl". We then proceeded to buy -100000 shares of MSFT for about 40 bucks a pop.
    The server had a formula of something like:

    (STOCKPRICE * SHARES) + COMMISION = SUM
    The sum was then checked against your accounts cash balance.
    Something like:
    IF (SUM > CASHBALANCE)
    ERROR;
    ELSE
    EXECUTE TRADE;

    Well we had a big negative number for our SUM so it passed.

    The server then procceeded to:
    CASHBALANCE = CASHBALANCE - SUM

    Well anyone who has taken 5th grade math knows what happens when you subtract a negative number.
    To make a long story short....we come into school about 2 weeks later and there is a big list of all the teams playing the stock market game in NY state. Our team is number 1 by about 2 million bucks, 2nd place is at about 105k. We confessed to whole the thing explained to the site what they did wrong and didn't get in any trouble.

    The morale of this story:

    Validate all user input before you perform ANY actions with it.

  6. Re:Text Version for People Who Hate PDFs by samjam · · Score: 4, Insightful
    Many people consider cut-and-pasting the article to be inherently redundant. I generally agree with them

    An accurate judgement, no doubt, but the point is this:
    Is there any value in moderating the post as redundant - redundant it may be, but useful, and arguably more useful than its moderation as redundant

    --
    blog.sam.liddicott.com
  7. Re:Speaking of cookies by Anonymous Coward · · Score: 2, Insightful

    You're probably copying the session ID in addition to the user ID and password. Session IDs are usually bound to a URL or small range of URLs, so submitting a stolen session ID invalidates the password.

  8. Re:Text Version for People Who Hate PDFs by harkabeeparolyn · · Score: 2, Insightful

    It's not redundant if the site has been slashdotted into oblivion and the cut-and-paste is the the only way we're going to see the paper today.