[23179] in bugtraq
Cross Site Scripting holes abound
daemon@ATHENA.MIT.EDU (security@devitry.com)
Mon Nov 19 13:21:24 2001
Date: 17 Nov 2001 02:05:53 -0000
Message-ID: <20011117020553.20227.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: <security@devitry.com>
To: bugtraq@securityfocus.com
Mailer: SecurityFocus
::: Summary ::::
Over a year and a half since CERT issued
warning on Cross Site Scripting, most dynamic
websites are _still_ not filtering user input. This
lets remote sites access to write scripts on vunlerable
sites, stealing cookies, performing actions on behalf
of user or modifying look of content on site. I did a
quick
check of the top 15 sites (and other sites I use) and
found holes in _most_ of them.
::: Sites Affected :::
http://www.microsoft.com/
http://www.msnbc.com/
http://www.oracle.com/
http://www.about.com/
http://www.doubleclick.net/
http://www.netscape.com/
http://www.paypal.com/
http://www.google.com/
... many more not listed....
::: Details ::::
In general, if you can replace any url parameter with
""><script>alert(document.cookie)</script>"
and you get an alert, the site may be vulnerable.
Samples and details listed at
http://www.devitry.com/security.html
The samples on the above site take it one step
futher and send the cookie data to another site.
Even https sites are vulnerable since cookie data
is available to javascript on page.
:::: Fix :::::
You should validate or filter all user input, including
hidden form fields and id's passed in url's before
the data is written out to the page. Any poorly
written script on your whole domain could give you
problems. (even old ones that do nothing like
testenv) Filtering or encoding is should be done
for ", >, < and sometimes '
You should monitor for "script" passed in url's to
your site... However, blocking in the url alone
is not good enough as the parameter could be passed
in "POST" data.
For sites that have your data, you should always
log out at the end of your session, and you should
not surf more then one site at a time.
::: Discussion :::
Most of these holes were discovered in a matter of
minutes. It takes more time just to find out the owner
of the site and explain to them why this is a problem.
Is there anyway to fix this on a more global basis?
While these types of holes are not instantly mass
exploitable, it is good (or bad, depending on how you
look at it) for targeting specify users and sites to
steal sessions and personal info.
-Dave deVitry
security@devitry.com
ps. microsoft.com exploit url withheld because they
think they are safer that way.
pps. all websites involved were contacted, but most
had no timely reply.
