[WEB SECURITY] Advantages of attacks on sites with using other sites and Using of tags frameset and iframe for conducting XSS attacks

MustLive mustlive at websecurity.com.ua
Sun Jun 16 19:44:23 EDT 2013


Hello participants of Mailing List.

Recently I wrote new articles. And I'll tell you briefly about two my
articles (from 2010 and 2013) concerning advantages of attacks on sites with
using other sites and using of tags frameset and iframe for conducting XSS
attacks. These topics should be interesting for you (especially for those,
who haven't read them before).

1. Advantages of attacks on sites with using other sites.
http://websecurity.com.ua/4562/

In this article I've told about advantages of different attacks on web
sites with using other sites (which I've described in three previous
articles). I didn't write you about it earlier, so did it now. In the
article I've described advantages for DoS attacks, DDoS attacks and sending
spam via other sites.

In 2010 I wrote about DoS and DDoS attacks via other sites and sending spam
via other sites in my articles:

Using of the sites for attacks on other sites
http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html
http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-June/006761.html
DDoS attacks via other sites execution tool (DAVOSET)
http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006832.html
Sending spam via sites and creating spam-botnets
http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html

Particularly in second article I wrote about DDoS attacks with using of many
other sites as zombie-servers and presented my tool DAVOSET to you. Remind
these articles for yourself, since I'll write on this topic soon.

2. Using of tags frameset and iframe for conducting XSS attacks.
http://websecurity.com.ua/6561/

In this article I've told about non-standard using of tags frameset and
iframe for conducting XSS attacks. Which I've found already at 08.09.2008,
during my research of vulnerabilities in browsers. My methods of attacks
with using these tags are not well known, particularly they are not
presented in famous XSS Cheat Sheet by RSnake (not in 2008, nor in 2013).
Earlier RSnake placed it at his site, but recently he moved it to XSS Filter
Evasion Cheat Sheet at web site of OWASP.

My techniques can be used to bypass restrictions (in some browsers) which 
exist at using of old methods of XSS attacks with frameset and iframe tags 
and for conducting XSS attacks with bypassing security filters and WAFs, 
which are not aware about it.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 






More information about the websecurity mailing list