I recently found an XSS exploit on our company website, which I forwarded on to my boss, who forwarded it on the to programmers.

The programmer in charge of fixing it said it wasn't really a big deal, they couldn't actually do anything harmful with it, except "really crazy advanced" (quoted for accuracy) programmers who put it in an img tag.

So, what are the practical uses of XSS? All of the examples I have seen WERE just putting up javascript errors, so I wasn't able to defend that fact that it's a big issue.

Thanks,

The Fuzz

With an XSS vulnerability attackers can do a number of things:

* Alter what the page that the vulnerability exists on looks like to the user
* Steal the user's cookies and therefore access credentials
* Execute actions on behalf of the user (this is really CSRF, but XSS can overcome all non-intrusive protections against CSRF)
* Hijack the user's browser and make them visit other vulnerable sites, or run Javascript code to do scans of the user's internal network, and even possibly attack common unsecure (and predictably placed) web apps like router software (Javascript Malware)

And after that most of the exploits for browsers are centered around executing Javascript,and so your site could become a method of attacking visitors directly, especially if its a persistent XSS hole.

Thats all I can think of off the top of my head though.

I think that one slideshow of practical uses for XSS that Jeremiah did should be linked to on the XSS cheat sheet. But yeah, anything and everything that javascript can do is an issue. Worst case scenario as of now is probably a persistant XSS that attacks a vulnerability on the consumers end that scans their intranet or abuses a 0day browser exploit to totally root their box or even the network they are on. Or, if an admin visits the infected page, your company could face that same fate. It will probably only get worse as Javascript techniques evolve.

- Kyran

Kyran Wrote:
-------------------------------------------------------
> I think that one slideshow of practical uses for
> XSS that Jeremiah did

Link?

I think you are talking about this: http://www.whitehatsec.com/downloads/whiteHat_hacking_intranets.mp4

- RSnake
Gotta love it. http://ha.ckers.org

I really depends where the XSS hole is located.

the biggest risk is involved when the user can modify the site (like a profile or images etc). With this hole it's possible to remotely insert and execute a shell script on the server. When this is done you could modify config files for example. it's theoretically possible to gain r00t through XSS.

Usually this can't be done through a browser, but you could build a exploit script which you run from a server or local through a proxy. This also can bypass alot of security features build into browsers and the server side scripting configuration, doing it through a local script it ignores the php.ini config file for instance, which could lead to many exploits.

With a hole in a searchfield you could steal cookies, Ddos a users browser, phish around to steal CC data, etc etc.

Or you could steal (alas, this is the most interesting part) the login credentials (full cookie) of the admin. If you got those you have full access on the system where he/she has admin rights. (requires mostly social engineering)

So assume that it can do harm, more then one is willing to risk i can assure.

from http://sla.ckers.org/forum/read.php?2,3271,3273#msg-3273

Quote
me
You can.. steal cookies, account details, propogate a worm, try to get the admin's credentials, force a transfer of funds, change their email or password to allow for account hijacking, have them help you bruteforce a hash, abuse password managers, launch browser exploits for complete rooting, use them as a proxy for other attacks, use it to launch XSS attacks on other sites they may visit and steal their info there, form a very unstable botnet, use it to make users CSRF to any other sites they may visit, use them to skew any sort of online polls, etc..

the 'use them as a proxy for other attacks' is a whole long list by itself. something i've been interested in seeing created is to maintain a laundry list of XSS attacks to major sites (banks, emails, and social networking) and pretty much pwn someones internet life if they visit any page you gain control of. while you're at it: steal their history, geo-locate their un-proxied ip, map their intranet, DMZ their computer, steal cookies from the ~900 sites listed in So It Begins, etc.

Basically just an automated full-identity theft of their online activity/info .. and all because they decided to view the e-card someone sent them for christmas. Tis the season ^^

-maluc

That's a very important thought you have there. It's not just that one site is vulnerable. If you have XSS in one site you have it everywhere, and you can XSS more than one site at a time. In fact, you can XSS around 1000+ sites (some of those disclosures come with Google dorks to find more). I might have to write a blog post about that one. Very good point.

- RSnake
Gotta love it. http://ha.ckers.org