Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Practical uses of XSS (malicious or otherwise?)
Posted by: FuzzyLogik
Date: December 09, 2006 03:39PM

I recently found an XSS exploit on our company website, which I forwarded on to my boss, who forwarded it on the to programmers.

The programmer in charge of fixing it said it wasn't really a big deal, they couldn't actually do anything harmful with it, except "really crazy advanced" (quoted for accuracy) programmers who put it in an img tag.

So, what are the practical uses of XSS? All of the examples I have seen WERE just putting up javascript errors, so I wasn't able to defend that fact that it's a big issue.

Thanks,

The Fuzz

Options: ReplyQuote
Re: Practical uses of XSS (malicious or otherwise?)
Posted by: kuza55
Date: December 09, 2006 04:22PM

With an XSS vulnerability attackers can do a number of things:

* Alter what the page that the vulnerability exists on looks like to the user
* Steal the user's cookies and therefore access credentials
* Execute actions on behalf of the user (this is really CSRF, but XSS can overcome all non-intrusive protections against CSRF)
* Hijack the user's browser and make them visit other vulnerable sites, or run Javascript code to do scans of the user's internal network, and even possibly attack common unsecure (and predictably placed) web apps like router software (Javascript Malware)

And after that most of the exploits for browsers are centered around executing Javascript,and so your site could become a method of attacking visitors directly, especially if its a persistent XSS hole.

Thats all I can think of off the top of my head though.

Options: ReplyQuote
Re: Practical uses of XSS (malicious or otherwise?)
Posted by: Kyran
Date: December 09, 2006 04:46PM

I think that one slideshow of practical uses for XSS that Jeremiah did should be linked to on the XSS cheat sheet. But yeah, anything and everything that javascript can do is an issue. Worst case scenario as of now is probably a persistant XSS that attacks a vulnerability on the consumers end that scans their intranet or abuses a 0day browser exploit to totally root their box or even the network they are on. Or, if an admin visits the infected page, your company could face that same fate. It will probably only get worse as Javascript techniques evolve.

- Kyran

Options: ReplyQuote
Re: Practical uses of XSS (malicious or otherwise?)
Posted by: FuzzyLogik
Date: December 09, 2006 05:08PM

Kyran Wrote:
-------------------------------------------------------
> I think that one slideshow of practical uses for
> XSS that Jeremiah did

Link?

Options: ReplyQuote
Re: Practical uses of XSS (malicious or otherwise?)
Posted by: rsnake
Date: December 09, 2006 05:56PM

I think you are talking about this: http://www.whitehatsec.com/downloads/whiteHat_hacking_intranets.mp4

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Practical uses of XSS (malicious or otherwise?)
Posted by: jungsonn
Date: December 09, 2006 08:46PM

I really depends where the XSS hole is located.

the biggest risk is involved when the user can modify the site (like a profile or images etc). With this hole it's possible to remotely insert and execute a shell script on the server. When this is done you could modify config files for example. it's theoretically possible to gain r00t through XSS.

Usually this can't be done through a browser, but you could build a exploit script which you run from a server or local through a proxy. This also can bypass alot of security features build into browsers and the server side scripting configuration, doing it through a local script it ignores the php.ini config file for instance, which could lead to many exploits.

With a hole in a searchfield you could steal cookies, Ddos a users browser, phish around to steal CC data, etc etc.

Or you could steal (alas, this is the most interesting part) the login credentials (full cookie) of the admin. If you got those you have full access on the system where he/she has admin rights. (requires mostly social engineering)

So assume that it can do harm, more then one is willing to risk i can assure.

Options: ReplyQuote
Re: Practical uses of XSS (malicious or otherwise?)
Posted by: maluc
Date: December 10, 2006 08:03AM

from http://sla.ckers.org/forum/read.php?2,3271,3273#msg-3273
Quote
me
You can.. steal cookies, account details, propogate a worm, try to get the admin's credentials, force a transfer of funds, change their email or password to allow for account hijacking, have them help you bruteforce a hash, abuse password managers, launch browser exploits for complete rooting, use them as a proxy for other attacks, use it to launch XSS attacks on other sites they may visit and steal their info there, form a very unstable botnet, use it to make users CSRF to any other sites they may visit, use them to skew any sort of online polls, etc..

the 'use them as a proxy for other attacks' is a whole long list by itself. something i've been interested in seeing created is to maintain a laundry list of XSS attacks to major sites (banks, emails, and social networking) and pretty much pwn someones internet life if they visit any page you gain control of. while you're at it: steal their history, geo-locate their un-proxied ip, map their intranet, DMZ their computer, steal cookies from the ~900 sites listed in So It Begins, etc.

Basically just an automated full-identity theft of their online activity/info .. and all because they decided to view the e-card someone sent them for christmas. Tis the season ^^

-maluc

Options: ReplyQuote
Re: Practical uses of XSS (malicious or otherwise?)
Posted by: rsnake
Date: December 10, 2006 09:45PM

That's a very important thought you have there. It's not just that one site is vulnerable. If you have XSS in one site you have it everywhere, and you can XSS more than one site at a time. In fact, you can XSS around 1000+ sites (some of those disclosures come with Google dorks to find more). I might have to write a blog post about that one. Very good point.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.