[WEB SECURITY] On Session Riding, Client-side Trojans and Cross-site Request Forgeries

Sverre H. Huseby shh at thathost.com
Thu May 5 04:03:00 EDT 2005

[Bill Pennington]

|   Ok this is a better example than your voting one ;-)

Thanks. :)

|   I still think it is cross site scripting used to attack an
|   insufficiently protected application,

I think calling it XSS is pushing the (loose) definition of XSS too
far.  Reading the original CERT document from 2000 [1], they explain
the cause of the term:

    "Because one source is injecting code into pages sent by another
     source, this vulnerability has also been described as "cross-site"

And another place in the same document:

    "[...] cross-site scripting (the insertion of tags into another
     site's web page)"

Also, CERT's solution to the XSS problem is to have the web site
properly encode HTML metacharacters ("validate output").  This
solution doesn't help protecting against Web Trojans.

I didn't remember these quotes, but they fit my understanding of XSS.
It's about injection of code/HTML into pages.  In my example there's
injection of neither code nor HTML from one site to another.

I don't think it's a good idea to stretch the definition of a term to
fit "new" attacks when it means that the age-old solution to the
problem will no longer be sufficient.  I think that indicates that we
are in fact talking about something that is not XSS.

|   I do believe that there is a lot more work that could be done to
|   tighten up the classification system and perhaps finding ways to
|   explain and classify these types of situations would be a good
|   start.

Agreed.  I would need to learn more about the proper terminology in
order to understand what we are trying to classify.  Example:

  * Attacker wants to "impersonate user"
  * Attacker decides to do "session hijacking"
  * Attacker decides to do session hijacking by "cookie theft"
  * Attacker decides to do cookie theft by "Cross-site Scripting"
  * Attakcer does XSS by "HTML Injection"
  * HTML Injection is possible due to "lack of HTML Encoding"
  * which is a class of "lack of proper metacharacter handling"

  * Attacker gets access to cookie
  * Attacker passes cookie to target web site

Now, what are all these points?  Some may be attacks, some may be
vulnerabilities, some may be attack vectors, some may be threat, and I
have no idea what else they can be.  Is XSS the attack?  Is HTML
Injection the attack?  Or is the final injection of the stolen cookie
the actual attack while the other points are just "sub attacks" or
something to reach the final goal?  Does anyone care to enlighten me?

Sverre - who leaves for the non-networked cabin in an hour,
         and will be AFK for a couple of days.

1: http://www.cert.org/advisories/CA-2000-02.html

shh at thathost.com               My web security book: Innocent Code
http://shh.thathost.com/       http://innocentcode.thathost.com/

The Web Security Mailing List

More information about the websecurity mailing list