Do You Trust The Link?

CraigD · 08-07-2008

As I understand cross-site scripting attacks, a script like this isn't really dangerous, because javascript can't see your local file system unless it's from your local file system (ie: a "file:\\" URL in a pane, anchor, image, etc.). So to do great mischief with one, you've got to get something stored in you local file system that the URL can reference.

Do I err in my thinking?

alexander · 08-07-2008

greatly... you dont need to have local filesystem access to do great damage.

Damage can be done im many ways:
stealing cookies - now alows an attacker to login to your account, without actually logging in
recoding, say, a login form, to send the data to both the website, but to first store the credentials on a server elseware
you could use the code to call up active x scripts... and we all know how secure those are

i mean for something that simple, it can be a VERY dangerous thing. Back when it was discovered, places like Bank of America were volnurable, can you imagine how much damage could be done by getting login data from there?

nikgod · 08-07-2008

Quote:

Originally Posted by CraigD

As I understand cross-site scripting attacks, a script like this isn't really dangerous, because javascript can't see your local file system unless it's from your local file system (ie: a "file:\" URL in a pane, anchor, image, etc.). So to do great mischief with one, you've got to get something stored in you local file system that the URL can reference.

Do I err in my thinking?

In a word, yes.

While javascript can't directly access files on your local drive, they can access associated cookies as has been pointed out. They can also modify ANY part of the website in the browser, or all of it. Imagine that instead of displaying a picture and popping up a dialog that it changes the login submit button to send the login data to some other place. Or imagine if it changes a link to link to a page with a virus or worm. All of this is possible in the same way, and it's not even remotely difficult to do. XSS is slowly being recognized as a threat, much as SQL injection was in the past. Still, just as there are still many sites vulnerable to SQL injection, there are a very large number of sites affected by XSS, and much more mischief can be accomplished now that javascript has become a vital part of the "Web 2.0" craze and disabling javascript becomes a less reasonable option.

GAHD · 08-07-2008

firefox 1.5 automaticly translates those for me in the bottom bar on hover
Tranhslated:

Code:

<img src="http://kapcsford.freeblog.hu/files/bazer/rofl.pwnt-spray.gif"></img><script>alert("Yuo could so have been pwnt!!! Imean why did you even click this?");</script>&x=...

yet another reason not to switch-up

CraigD · 08-07-2008

Quote:

Originally Posted by CraigD

So to do great mischief with one [XSS attack], you've got to get something stored in you local file system that the URL can reference.

Do I err in my thinking?

Quote:

Originally Posted by alexander

greatly... you dont need to have local filesystem access to do great damage.

Quote:

Originally Posted by nikgod

In a word, yes.

I think I missframed my question. Retrying: can you do great mischief to a reasonable sensible user with an XSS attack?

What I don’t understand about XSS attacks is how they are any worse than simply spamming of keyword padding to attract visits to a simple malicious site. Cookies and other client-side data visible to scripts aren’t intended to store authentication data. No even mildly secure authentication-requiring website in my experience uses cookies in such a way, and a site such myspacelayoutspy.com, which allows a script to be passed via a HTTP GET or PUT is just a wild, dangerous, foolish place.

In short, it seems to me that for a non-malicious site to be vulnerable to XSS attacks, it must implement intentionally perverse features, and even then, unless your browser allows such unwise actions as the unconfirmed installation of ActiveX controls, or you are ridiculously credulous when confronted with a plain phishing attack, the possible gain of such attacks is nearly nil. If you’re wanton enough to be any of these, there’s little hope for your online security, and simple spam-promoted, blatantly fraudulent sites are as effective as scripting trickery.

Though I’ve no reason to doubt the claim that XSSs are the largest category of security abuses on the internet, it seems to me more an indictment of end user behavior than permitting http scripting events or simple inline scripts (of why, when nearly every browser existent supports the body element’s onload attribute, inline script elements are even allowed, I’ve yet to hear a good explanation). Though I personally despise the very concept of browser event scripting – the effort and investment the world’s put into it would, IMHO, have been better spent on modest enhancement and standardization of html form elements and attributes – and consider client-side data cookies one of the worst, ad-hoc, ideas ever implemented in a browser, their widespread existence is effectively a fact-of-life which must be endured. As in all walks of life, some people will just endure them with less attending grief than others.

Jay-qu · 08-07-2008

Quote:

Originally Posted by alexander

firefox translates hex in urls to help users identify potentially bad links, they actually like security, and that's what i love about FF.

not the case with internet exploder though...

search term is the exploit, jay... they blatantly output the search argument to their page, which allows one to arbitrarily insert code into the link, and thus into the page... i could have as easily linked it to a script so you would not see all that in URL, but what i am trying to say is that if you see any code in a url, don't click it

Jay, you really dont think that myspacelayoutspy would have a page that will load that image and generate that popup, do you?

I see where you are coming from now, but I am always cautious to trust your russians anyway

jk

alexander · 08-08-2008

Gahd, how is that another reason not to switch up? FF2 and FF3 both do that... i've said so above somewhere, too...

There's a reason to switch from Internet Exploder, because it does not translate and thus potentially endanger

Quote:

Originally Posted by jay

but I am always cautious to trust your russians anyway

point is not to trust ANYONE, not just us, USSRians

alexander · 08-08-2008

Craig, let me answer your questions first, i'll tell nikgod next time i talk to him, to stop by and put in his 2 cents...

Quote:

What I don’t understand about XSS attacks is how they are any worse than simply spamming of keyword padding to attract visits to a simple malicious site. Cookies and other client-side data visible to scripts aren’t intended to store authentication data. No even mildly secure authentication-requiring website in my experience uses cookies in such a way, and a site such myspacelayoutspy.com, which allows a script to be passed via a HTTP GET or PUT is just a wild, dangerous, foolish place.

Quite simply, the email padding going to a malicious website is simpler to spot, you are going to www.somemaliciouswebsite.com, and most people that look at the links before clicking them, will quickly notice that there is a problem. The danger of XSS is that it routes you to a valid domain, i.e. it routes you to the real website https://www.bankofamerica.com or Welcome to Facebook! | Facebook, and a crafty hacker will not change the look of the page at all, so a user suspects nothing wrong with the page, all the security identifiers are the same, everything looks 100% legit, only problem is, that it's not...

Quote:

In short, it seems to me that for a non-malicious site to be vulnerable to XSS attacks, it must implement intentionally perverse features

it just has to have one coding mistake, like most other exploits, a simple, stupid mistake in hundreds of thousands of lines of code, and late knights.... and they have been found everywhere, from myspace, to google, to msn, to bank of america, to federal websites and anywhere in between. Danger is, unless they are reported, they are not likely to be fixed...

Quote:

unless your browser allows such unwise actions as the unconfirmed installation of ActiveX controls

what about flash, if you find an exploit in flash or shockwave, or say quick time, you can now embed your exploit into a page with a valid, known and trusted domain link... and it can be anything, if you find a bad practice in processing images and can embed exploits into those, you can embed the images on those same pages, and yeah, it's easier to click that link, after all, it's federal gov-t telling you that they found problems in your recently submitted tax form, and they want you to verify your data...

Quote:

Though I’ve no reason to doubt the claim that XSSs are the largest category of security abuses on the internet

nope, i'd say SQL injection... but using mostly the same concept though, but much more devastating...

Quote:

the possible gain of such attacks is nearly nil.

I'd beg to differ.

Quote:

Originally Posted by sla.ckers.org

This vulnerability can be extremely dangerous if A creates a XSS Worm, inject into his own blog. When B visits A's blog, his own blog is infected and unintentionally pass the worm to all his friends who visit his blog page later on. In just a day, it's hard to imagine how many Yahoo! accounts' cookie are stolen.

similarly, you can steal other info, i mean, look, you say it cant be dangerous, but say you discover a volnurability in say BoA, i pick on it for its convenience ofcourse. You recreate the look of a login process, and make it easy for users to disclose the user id and password for their acct, infact after they go through your process, they log into their account, even though you now own their data. The user ID on the acct is the user's SSN.... now you have one's ssn, and their password into their bank accounts. you tell me now if it's a dangerous attack vector?

You create a crafty email and send it to millions of BoA users... with even 1 percent response, even less, you can easily have info for well over a 1000 bank accounts, ssns, and probably passwords into their other accounts (as people like to use one password for everything), probably its their email password, and any social networking sites. Pick any one, log in, find their names, addresses emails, log into their email, find what they are like as a person, also if they have a flickr acct, or a social networking website addiction, in a matter of hours you have more then enough info to easily facilitate an indentity takeover...

I just want you to see, that just because i didn't do anything bad with it, XSS though only client-side scripting, is still extremely dangerous...

Hopefully if you get that out of this thread, i have done my duty to educate people about having better security practices on the net...

Moontanman · 08-08-2008

While I don't pretend to understand all the technical details here I do know what the end result is, theft! I think anyone who does this should be hung by the neck until dead, far to many people are vulnerable to such things and end up loosing their life savings and or other things to some sneaky dipstick, someone just took $1000 out of my bank account due to hackers stealing bank account info. May they all burn in this life, hell can wait!