[WEB SECURITY] XSS Impact
Bill Pennington
bill at whitehatsec.com
Tue Jan 13 20:23:41 EST 2009
This is always a kinda hard one for XSS because in many ways it has to
do with the application that has the XSS. The other issue is many
people feel that XSS is not an attack or exploit but a weakness.
At the base level XSS allows me to insert HMTL/Javascript into a page
or site. Is that bad? Probably so however it could be used for good.
To a large extent Greasemonkey is a localized XSS on a site that has a
good outcome. It is kinda like a buffer overflow, I can own your box
with it or I can use it to jailbreak my iPhone. The flaw can be used
for bad things or good things. For the sake of this discussion though
I will just go with the typical persistent XSS and someone is out to
do bad things.
1. We are seeing a huge rise in people using XSS to link to JS that
then does a drive by malware install. This is really leveraging the
traffic certain sites have to get the most malware installs as possible.
2. More subtle things like replacing a sites google ads with mine or
replacing affiliate links etc.
3. In a banking app doing a wire transfer from you to me. This
happened around 2000 or 2001 to Citibank but I can't find the ref ATM.
4. Using it as a platform for CSRF. This one gets tricky cause an XSS
based CSRF is a bit different than doing CSRF via something like an
img tag.
5. As mentioned before, I good infect your site with the dreaded
marquee tag or the always deadly blink tag.
I am sure others will have some great site specific examples of all
the badness that can happen as well.
---
Bill Pennington
SVP Services
WhiteHat Security Inc.
http://www.whitehatsec.com
On Jan 13, 2009, at 4:31 PM, Pete Lindstrom wrote:
> Greetings –
>
> I am trying to get my arms around the cross-site scripting
> vulnerability impact and can only come up with it as an enabler of
> other exploits. Can you give me your best (highest impact) examples
> of what an XSS vuln can do without combining with other exploit
> techniques?
>
> Thanks,
>
> Pete
>
> Pete Lindstrom
> Research Director
> Spire Security
> 610-644-9064
> blog: http://spiresecurity.typepad.com
>
>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list