[WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript

Billy Hoffman Billy.Hoffman at spidynamics.com
Mon Jul 31 16:04:03 EDT 2006


Thanks for the feedback Amit.

>>>
1. part is too, but I didn't run a full check though). As for the idea
that
you can attack 3rd party sites via JS, I don't think it's new. For
example, 
<<<<

You are correct and perhaps that was bad wording. It was more that
detecting/fingerprinting is new and detecting/fingerprinting makes
attacking 3rd part sites or apps from JS (particularly intranet apps)
more feasible.

>>>>
2. You mention "Increased Danger from Cross Site Scripting [...] This
means any XSS vulnerability on any site can be used to attack the end
user, regardless of the features of the vulnerable site." In my
understanding, the increased danger comes only from permanent (stored)
XSS 
<<<<

The point I was trying to make was that all XSS is bad. If you have a
site with an XSS vuln, even if the site is so devoid of features that
session hijacking or Ajax worming or other common XSS payloads aren't
really applicable, the XSS vuln can still be used to do Very Bad
Things(tm) to a user that have nothing to do with how that user
interacts with your site.

>>>>
3. In the recommendation part, you focus more on XSS prevention, but I
think that there are some measures that can reduce the fingerprinting
vector, at least as described in your text.
<<<<

The whitepaper I wrote didn't have any recommendations :-) This was
added in because SPI wanted to give at least some options. I find it
depressing that the only advice anyone in this industry can give end
users about XSS is "Turn off JavaScript" and "pressure websites to
secure their pages." I agree with Jeremiah that XSS is the new shell
code.

Billy Hoffman
--
Lead R&D Engineer
SPI Dynamics - http://www.spidynamics.com
Phone: 678-781-4800
Direct: 678-781-484

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list