Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Anatomy of Cross Site Scripting

Posted by CmdrTaco on from the vulnerabilities-are-lurking-everywhere dept.

LogError writes "Many documents discuss the actual insertion of HTML into a vulnerable script, but stop short of explaining the full ramifications of what can be done with a successful XSS attack. While this is adequate for prevention, the exact impact of cross site scripting attacks has not been fully appreciated. This paper will explore those possibilities."

2 of 208 comments (clear)

  1. Asp.NET 1.1 and XSS by palad1 · · Score: 3, Interesting

    Asp.Net protects users from XSS by default since version 1.1 by parsing the parameters of a page and looking for javascript/html code in the query.
    Of course I was bitten by this feature when upgrading from 1.0 to 1.1, but that's just because I didn't bother reading the readme.txt :)
    Automatic protection bundled with any application server is good, especially if you can turn it off [you can in asp.net , validateRequest=false et voila].

  2. A few techniques used and more by iceco2 · · Score: 3, Interesting

    The generall tecnhique described above is with
    volnerable scripts which display text which came
    from URL encoded data, This is one of many methods
    to display the attackers HTML in an unsuspecting
    users browser.
    It is very common for the 404 message on a website to contain the URL which was entered, In the past this was done mostly by copying it as is. This would allow an attack.

    In order to hide the attack hex encoding is used in the URL so the victim would not notice the script in the URL.

    Still the attacker needs to minimize the length of the URL this causes him to use HTML options
    such as iframe in order to insert a lot of HTML
    taken from a diffrent site.

    The main point of intrest is that the page appears to be comming from the (probably trusted) server, this can convince the user to do stuff he may not do on the attackers web site, say for example enter credit card info.

    Also one could collect cookies this way, the cookies are likely to contain passwords or equivelent informations for sites with user login.

    In some forums a user can put scripts in his signature or profile, this allows similar results,
    but with out sending funny URLs.

    DO NOT TRUST USER INPUT, it may harm not only you
    but also the user, they must be protected.

    Me.