Bill Pennington bill at whitehatsec.com
Tue Jan 13 20:23:41 EST 2009

This is always a kinda hard one for XSS because in many ways it has to  
do with the application that has the XSS. The other issue is many  
people feel that XSS is not an attack or exploit but a weakness.

At the base level XSS allows me to insert HMTL/Javascript into a page  
or site. Is that bad? Probably so however it could be used for good.  
To a large extent Greasemonkey is a localized XSS on a site that has a  
good outcome. It is kinda like a buffer overflow, I can own your box  
with it or I can use it to jailbreak my iPhone. The flaw can be used  
for bad things or good things. For the sake of this discussion though  
I will just go with the typical persistent XSS and someone is out to  
do bad things.

1. We are seeing a huge rise in people using XSS to link to JS that  
then does a drive by malware install. This is really leveraging the  
traffic certain sites have to get the most malware installs as possible.

2. More subtle things like replacing a sites google ads with mine or  
replacing affiliate links etc.

3. In a banking app doing a wire transfer from you to me. This  
happened around 2000 or 2001 to Citibank but I can't find the ref ATM.

4. Using it as a platform for CSRF. This one gets tricky cause an XSS  
based CSRF is a bit different than doing CSRF via something like an  
img tag.

5. As mentioned before, I good infect your site with the dreaded  
marquee tag or the always deadly blink tag.

I am sure others will have some great site specific examples of all  
the badness that can happen as well.

Bill Pennington
SVP Services
WhiteHat Security Inc.

On Jan 13, 2009, at 4:31 PM, Pete Lindstrom wrote:

> Greetings –
> I am trying to get my arms around the cross-site scripting  
> vulnerability impact and can only come up with it as an enabler of  
> other exploits. Can you give me your best (highest impact) examples  
> of what an XSS vuln can do without combining with other exploit  
> techniques?
> Thanks,
> Pete
> Pete Lindstrom
> Research Director
> Spire Security
> 610-644-9064
> blog: http://spiresecurity.typepad.com

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list