[WEB SECURITY] Strictly social XSS

MustLive mustlive at websecurity.com.ua
Sat Nov 5 17:05:14 EDT 2011


Hello participants of Mailing List.

As I've told you in the end of last month, last week I've published my
article Strictly social XSS (this article was planned for writing already in
September 2007). And this week I published English version of it
(http://websecurity.com.ua/5476/). Which I'm presenting for you.

Earlier I’ve told about different classes of Cross-Site Scripting
vulnerabilities, including about many classes created by me. Last time I’ve
told about Cross-Application Scripting (http://websecurity.com.ua/5438/),
and concerning classes created by me - about Cross-Language Scripting
(http://websecurity.com.ua/4247/). And now I’ll tell you about another one
type of XSS vulnerabilities. I’ve created this class already in September
2007 (though I’ve found such holes earlier) and at last came to writing of
detailed article about it.

This is Strictly social XSS. Which I’ve announced already in 2007 and now
would tell about it in detail. At 23.09.2007 I’ve found Cross-Site Scripting
vulnerability in Mozilla and Firefox (http://websecurity.com.ua/1413/),
which I’ve disclosed at beginning of October. Which I’ve referred to
Strictly social XSS type. And since then I’ve many times used the term
Strictly social XSS for such vulnerabilities, actively popularizing it.

If in September 2007 I’ve found possibility of this attack via gopher
protocol, then at 9th of February 2008 I’ve found possibility of using of
http, https and ftp protocols. Which I’ve wrote about in post Cross-Site
Scripting with UTF-7 in Mozilla and Firefox
(http://websecurity.com.ua/3062/). In all these cases the attack was
conducted at visiting of special page with UTF-7 text (it could be as
reflected, as persistent attack), where it was needed to force victim to set
UTF-7 encoding in a browser (by choosing appropriate item in menu). Which
could be done by using method of social engineering, as I showed on examples
of XSS attacks for different protocols.

gopher:///1+ADw-SCRIPT+AD4-alert('XSS')+ADw-/SCRIPT+AD4-
gopher:///1Turn%20on%20UTF-7%20to%20view%20this%20message%20+ADw-SCRIPT+AD4-alert('XSS')+ADw-/SCRIPT+AD4-

Taking into account, that the attack could be conducted on any gopher, http,
https and ftp resource (which showed UTF-7 text, set in URL, in the answer
on the request), so it was universal Strictly social XSS vulnerability. Also
I’ll note, that if in 2007 Mozilla ignored this vulnerability, then in
autumn 2008 Mozilla silently fixed this vulnerability in Firefox 3.0.2.

Table of contents:

1. Nuances of Strictly social XSS.
2. Events handlers.
3. Types of Strictly social XSS.
4. Strictly social XSS reflected.
5. Strictly social XSS persistent.
6. Strictly social XSS DOM based.
7. Strictly social XSS local.
8. Strictly social XSS reflected self-contained.
9. Strictly social XSS persistent self-contained.
10. Using of Strictly social XSS together with additional attack techniques.

You can read the article Strictly social XSS at my site:
http://websecurity.com.ua/5476/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua






More information about the websecurity mailing list