RE: XSS

Hi John,

There are two main issues concerning XSS:

1.
Say you set your browser to fully trust your bank's site and allow it to run scripts in your browser. On the other hand, you deny that privilege from the rest of the sites you visit.
If the bank's site is vulnerable to XSS, when you click on the a malformed URL that was presented to you at hacker.com, you will be redirected to your banks site (which you previously granted scripting rights) and the malicious script written by someone at hacker.com will run.

XSS in that manner is a very good way to run scripts on cautious clients that allow only very specific sites to send them scripts.

2.
Following the previous example, let's say that you are logging into your bank account.
What usually happens is that the server issues you a session cookie which from now on will identify you as the user you entered in the login screen.
Clicking on the previously mentioned URL at hacker.com might run a script that will send your cookie back to the attacker. What happens in 99% of the sites I've tested is that from that point on the attacker can access your bank account without ever needing your username or password. The cookie itself is mostly satisfactory.

-----Original Message-----
From: John Madden [mailto:chiwawa999@yahoo.com] Sent: Tuesday, December 10, 2002 4:39 PM To: webappsec@securityfocus.com
Subject: XSS

Hello all,

Being new to XSS and seing alot of messages in the last couple weeks on the subject got me wondering...

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

What is the real vulnerability if the site in questions is vulnerable to XSS but does not let you write any malicious scripts on the system, like message board, forums etc... ? Can anything be done to exploit XSS if the above scenario occurs ? I know it depends on the web server, packages installed etc... I'm asking in generaly is it possible ?

You can do the document.cookie and view your cookie, that migth give a hint on the structure but... or redirect yourself to another web site :) etc...

I've read the document on XSS by David Endler http://www.idefense.com/papers.html but still have some questions.  

If possible, can the XSS guru's on the list shed some light on the subject.

Thanks for your time,

Cheers