RE: Top Ten Web App Sec Problems

Yep, there are a lot of interesting games that can be played with XSS. The sky is the limit. Here are some that I know about: grab people's email address who visit a Web site, create an email worm, order stuff from an eCommerce site, post fake news stories at Web sites, etc.

However, my feeling is that XSS bugs haven't been exploited in the wild. Instead people have just put together interesting demos. If anyone can point me to any press articles where XSS might have been used, that would be great.

Richard

-----Original Message-----
From: Steven M. Christey [mailto:coley@linus.mitre.org] Sent: Tuesday, December 03, 2002 3:57 PM To: webappsec@securityfocus.com
Subject: RE: Top Ten Web App Sec Problems

Richard M. Smith asked:

>Are there any known examples of cross-site scripting bugs being

Some public examples have already been mentioned. Some of the well-publicized e-commerce or e-banking hacks may have been performed through XSS; however, there is so little detail about such hacks that one cannot know for sure.

XSS can have further-reaching implications than "just" cookie theft, although that seems to be the focus. For example, the ability to inject HTML into a web page would allow someone to exploit vulnerabilities in web clients. See some of the discussions in the November Bugtraq thread "A technique to mitigate cookie-stealing XSS attacks"

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Jeff Williams said:

>Another issue in putting together a "top ten" list is the "superclass"

Agreed, but this is the difficult part :-) For example, canonicalization and directory traversal are very closely linked, yet they are discrete entities - you can have one without the other. I suspect that the OWASP "attack components" have analogs in the vulnerability world. The most obvious example is the symlink vulnerability, which has components including (a) bad permissions, (b) easily predictable filenames, and (c) race conditions enabled through non-atomic operations. Take any one of these components away, and you no longer have a symlink vulnerability. In the web app world, say you have a password file under the document root; you may have a mixture of (a) poor/no encryption, (b) bad permissions or ACLs, and possibly (c) poor design. Even buffer overflows have a number of variants besides "start copying bytes at offset 0 and run past the end of the buffer."

There's also a close relationship between the vulnerability (the programmer/designer's "mistake") and the attack, but these lines often get blurry, especially in terminology. E.g. if you view "directory traversal" as "any means of escaping a restricted directory by manipulating pathnames," then you'll say that exploits involving "/absolute/path/here" or "C:\drive" are directory traversal, whereas others may only view ".." and its variants as directory traversal (I personally view these as "sufficiently different" - fixing/preventing one does not necessarily fix the other).

I've been playing around with lower-level categorizations but have not made a lot of concrete progress, as it is a low-priority task.

>A final factor that should go into the "top ten" decision process is

This has varying answers, even for the same type of issue. For example, format string vulnerabilities are easily findable in open source but more difficult in closed source.

>Are there existing tools to search for it?

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

... both in source code auditing and testing ...

>Do you need special tools to exploit? What are the consequences of

One can only provide an estimate for the likely results of an exploit against a vulnerability. Directory traversal severities can vary anywhere from directory listings to arbitrary command execution.

>Our choices should represent the ones that we think will be the most

XSS is one type of vulnerability whose severity is variable and not fully understood, IMO.

It sounds like you're advocating a "top ten" that's based on other criteria besides "the most frequently occurring" types of issues. The basic question is, what would be the proper criteria for such a top ten list, and what would be the goals?

• Steve

#################################################################
#################################################################
#################################################################
#####
#####
#####
#################################################################
#################################################################
#################################################################