Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
First XSS ?
Posted by: Girzi
Date: August 23, 2006 06:21AM

Hi !
I was wondering when was the first xss discovered ? The very first one =) ?
I searched in some bugtracks but nothing interresting...
Can you help me plz ? : )

Options: ReplyQuote
Re: First XSS ?
Posted by: majohn
Date: August 23, 2006 07:26AM

This might not be the first XSS, but (if i am not mistaken) it is the original advisory: http://www.cert.org/advisories/CA-2000-02.html

Options: ReplyQuote
Re: First XSS ?
Posted by: Girzi
Date: August 23, 2006 07:39AM

Thank you ! I tought it was this advisory too.
And do you know a website/page/ that tells "the most important event in the XSS history" ? Or do I have to search in all the bugtracks/advisories =.=' ?
Thank you =)

Options: ReplyQuote
Re: First XSS ?
Posted by: dev80
Date: August 23, 2006 09:41AM

The origins of Cross-Site Scripting (XSS)
http://jeremiahgrossman.blogspot.com/2006/07/origins-of-cross-site-scripting-xss.html

Options: ReplyQuote
Re: First XSS ?
Posted by: rsnake
Date: August 23, 2006 11:48AM

Girzi, what are you specifically interesting in knowing? Are you writing something?

We've been playing around with XSS since the mid 90's (it wasn't called that back then, but the uses were already known). It wasn't until around 2002 that people started writing papers about it (Amit Klien did a lot of the early work on this). It wasn't until about 2 years ago that I actually started seeing the attacks hit in the actual real world environments, and it hasn't been until this year that it has really taken off as a major attack vector (especially with the intranet scanning stuff) to bypass network restrictions.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: First XSS ?
Posted by: Girzi
Date: August 23, 2006 12:37PM

dev80, thx you for the link
rsnake, yes I'm writtin an article about the history of the XSS (for a french magazine). I have to writte an article about client-side attacks (xss, xsrf...) but with an historical perspective.

The First XSS, then xss on webmail, then the first xss worm, then flash header spoof, then maybe flash worms...

I'm very interrested in the 90's when you played with XSS !

Can you help me because I know you are a master of the xss =)

Thank you.

Options: ReplyQuote
Re: First XSS ?
Posted by: rsnake
Date: August 23, 2006 02:03PM

When we first started playing with it, it was designed primarily to know things about the page it was residing on, not to steal credentials or deface anything (although those applications were known it was not clear how you would "get" someone to put that information on their pages). The first HTML injection defacements that I am aware of were on an old web-board called ChatTropolis (this would have been in 1995-1996 timeframe). From there it became clear that anyone could take over any webpage that allowed user input and rendered it back to the page. Most of the time this was inadvertant more than anything, and you have to remember the web was not nearly as dynamic as it is now, so there were hardly any places that were vulnerable as a result.

The first actual XSS for even vaguely malicious purposes were the banner advertizers who began to research ways to use XSS and the popularity of JavaScript to "know" things about the website it was being served up on. It was a beign purpose although people could easily argue that it was a privacy concern (this was in 1996-1997).

The first HTML sanitizers came out around that time (I release formlibsecure.pm around that time to try to compensate for some of those issues - around the year 2000): http://66.218.69.11/search/cache?p=formlibsecure+rsnake&ei=UTF-8&fr=FP-tab-web-t&fl=0&x=wrt&u=www.shocking.com/%7Ersnake/formlibsecure.html&w=formlibsecure+rsnake&d=Y-FWhWP9NEqw&icp=1&.intl=us

Other tools followed. Then PHP really came on the scene in force right around that time. That allowed the web to become far more dynamic and hense far less secure because fewer people knew about security compared to how many people were coding (as a percentage). The barrier to entry was lowered significantly with PHP. And I'm sure you can fill in a lot of the blanks from the 2000-2006 timeframe, so I won't waste your time on that.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: First XSS ?
Posted by: Girzi
Date: August 23, 2006 02:37PM

And in the period of 2000-2004 do you remember some important events ? Like Xss on yahoo hotmail ? Some interresting research ? The Period 2005-2006 I'll say The Samy Worm and the Flash technoly ! (spoof headers, flash worms ...)

Thx for help ;-)

Options: ReplyQuote
Re: First XSS ?
Posted by: rsnake
Date: August 23, 2006 07:50PM

I was asked to forward these on to you, Girzi:

http://www.microsoft.com/technet/archive/security/news/crssite.mspx?mfr=true
http://www.usatoday.com/tech/news/2001-08-31-hotmail-security.htm

It would probably take a while to formulate this answer, there are a lot of things, like the SAMY worm that woke a lot of people up, the Flash worm was another huge issue. I would argue that Burp Proxy and Paros Proxy made a huge difference in actual awareness of how exploitation worked. I would argue that even my XSS Cheat Sheet has made a huge difference (started it in early 2004). There's almost too much to count, as it's been almost an exponential growth in the last several years.

Options: ReplyQuote
Re: First XSS ?
Posted by: dev80
Date: August 23, 2006 08:55PM

A couple more early references

http://www.wired.com/news/technology/0,1282,38292,00.html
http://attrition.org/security/advisory/misc/bwc.99-04-20.ebayla_bug
http://news.com.com/2100-1033-214787.html

Options: ReplyQuote
Re: First XSS ?
Posted by: Girzi
Date: August 24, 2006 03:18AM

Thank you very much for all these links rsnake and dev80 !
Do you have more informations about the first html injection defacement ? I mean ChatTropolis, because it's a very very interresting anecdote !

Options: ReplyQuote
Re: First XSS ?
Posted by: trix
Date: August 24, 2006 08:10AM

well those were the IIS Servers that didnt santize the new standard of encoding, so hex characters werent handled properly therefore leading to an exploit. I'm just curious if your talking about that

trix

Options: ReplyQuote
Re: First XSS ?
Posted by: rsnake
Date: August 24, 2006 10:10AM

Girzi, the first I am aware of was a series of "backdoors" that people built. They would create a form submission page on another site, with their own HTML embedded in the "username" field, which would render when it got to the destination chat board. So you would post images, or colors or whatever to the board, and it would be seen by every user as it scrolled by (the history was only a few hundred or a few thousand lines long so eventually you could get rid of any defacement simply by posting a few hundred lines, leaving and coming back to flush your history - unless the defacer posted regularly).

Back in those days it was used to post as other people since name collision was pretty primitive and even after they built it well special chars or hidden chars would circumvent that and you could post from what looked like someone else's account. Eventually I think they disabled the HTML backdoors once they really figured out how to sanitize the input fields, but it stayed broken for a year or more from what I recall. It was mostly just kiddy stuff, but it got fairly sophistocated near the end where it would remove all the text on a page, or change words, or overwrite the entire page, or even flat out break it so that no one could use it until they logged back in.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: First XSS ?
Posted by: Girzi
Date: August 26, 2006 03:02AM

Okey : ) Thx for all these informations, now I'll do some research =)
Thx : )

Options: ReplyQuote
Re: First XSS ?
Posted by: rsnake
Date: August 26, 2006 12:23PM

Anytime. Let me know when you're done, I'd like to read it if you have an english translation (or I'll just use http://babelfish.altavista.com/).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: First XSS ?
Posted by: Girzi
Date: August 26, 2006 01:14PM

No Problem ;-)
Well at the moment it's just a project I'm not sure if it's sure , I have to write like a paper for a french magazine about XSS but from the first one to the situation in 2006. I mean I have to follow the history of XSS, devellopment of XSS, their increase in Power through the ages with examples and sour code =).
Do you follow me ? (sorry for my bad english :P)
When I say a paper it's like something about 20 pages =)

Options: ReplyQuote
Re: First XSS ?
Posted by: rsnake
Date: August 26, 2006 10:32PM

That's great. Congrats, and I look forward to seeing it if you get it published!

Don't worry about your english, I understand you perfectly.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: First XSS ?
Posted by: Girzi
Date: August 27, 2006 09:57AM

The project was accepted today by the big boss =) Now I'll have to work on it : )

Options: ReplyQuote


Sorry, only registered users may post in this forum.