Re: XSS

Matt is exactly right here. Even web sites with no storage can be susceptible to really serious XSS attacks. These attacks are simply reflected off a vulnerable server. We've been calling these 'external XSS' attacks -- because the attack is never stored on the vulnerable web server.

Can anyone think of any differences between 'persistent' and 'external' XSS attacks in terms of the damage they can cause? They are definitely different in terms of the difficulty of launching the attack (external XSS may even be easier!) -- but the consequences are the same right? If that's true then 'external XSS' would represent a more serious risk than the persistent variety.

--Jeff

Jeff Williams
jeff.williams@aspectsecurity.com
Aspect Security, Inc.
www.aspectsecurity.com

• Original Message ----- From: Matthew Miller To: John Madden Cc: webappsec@securityfocus.com Sent: Wednesday, December 11, 2002 8:03 AM Subject: Re: XSS

John-

Two things....

First, there are really two types of XSS. Persistent, where the injected code is stored within the web application, such as in distribution lists, databases, etc..., Transaction based, requiring a user to perform an action in order to be affected, such as click on a link, view a page with malicious script in it, etc... Therefore, any site that is accepting any form of user input is potentially vulnerable...though the risk of persistent XSS exceeds the risk of transaction based XSS in most cases.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Second, XSS is not only used to grab a users session ID. An attacker could inject code into the page to redirect the user or modify presentation of content. Imagine an corporate site where you could add/modify a press release or news items, could you impact the companies stock price or lessen consumer confidence? Imagine a pharmaceutical site where you could modify dosage for medication, could you get someone to overdose?

mm

--
Matthew P. Miller
www.atstake.com

On Tuesday, December 10, 2002, at 11:35 AM, John Madden wrote:

> Hi All,