RE: Top Ten Web App Sec Problems

>Yep, there are a lot of interesting games that can be played with XSS.

>However, my feeling is that XSS bugs haven't been exploited in the wild.

>Richard

I've exploited XSS holes many times. I have heard/seen people attempt XSS exploitation many times. It is a much more targeted and specific type of attack than one which the attack has full power to exploit, this may be a reason behind it's limited use. I'd say script injection attacks are more damaging, and exploited much more frequently than XSS.

Instead of that fake news story being up for 1 user, and only if that user is sent to the webapp with XSS payload, the fake story would be up for everyuser.

It is impossible to create an email worm with XSS, since the file is stored on the server it is a script injection type of attack. XSS works by input being echoed back to the user. Script injection is when this input is saved perminately to a file, database, etc and then presented to the user at a later time. This makes for a more perminate attack, one that is much more likely to work. One "worm" which would work would be a normal XSS worm that chains their urls together, perhaps querying a database for all of the urls to hit (or hardcode it in). This could spread from site to site gaining cookies, urls, and other important info. It could even spread from user to user if the XSS can send instant messages or force other users to visit html pages somehow (not via email, again, that is script injection).

On a related note, please remember that XSS/script injection is not just javascript. Other languages have their own benifits. If you are just filtering for javascript, best to add these other languages (or use a completely different system for input varification): ActiveX (OLE), VBscript (OpenScape), CSS, Shockwave, Flash, Actionscript, mocha (netscape's javascript command line interpreter), livescript (orignal name of javascript), Java, tcltk (http://dev.scriptics.com/software/plugin/), ACUCOBOL-GT (http://www.actis.gr/prod/acucobol/webplugin.htm), dolphin (smalltalk
http://www.object-arts.com/Lib/EducationCentre4/htm/deployingfortheweb.htm), Applescript, tml (http://browsex.com), and others I am unaware of. If you know of any more please email them with url for more info on them.