Hi Tim,
You make a great point.
Ron Jennings, NCIE SSP
Chaser Security- A Microsoft Partner
Cell:559.360.2340 24hr.customer service
VOIP:562.365.1295
From: Tim <[EMAIL PROTECTED]>
To: "pdp (architect)" <[EMAIL PROTECTED]>
CC: [email protected], [email protected],[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [Full-disclosure] Self-contained XSS Attacks (the new generation of XSS)
Date: Fri, 22 Sep 2006 10:03:11 -0400
>
>Hello pdp,
>
> > http://www.gnucitizen.org/blog/self-contained-xss-attacks
> >
> > XSS attacks can be persistent and non-persistent. Persistent XSS is
> > more dangerous since it allow attackers to control exploited clients
> > for longer. On the other hand non-persistent XSS is considered less
> > dangerous although it has been widely used in many phishing attempts.
> >
> > In this article I will expose some of my findings around a new attack
> > vector which is of type non-persistent XSS but a lot more dangerous
> > than the persistent one.
> >
> > Some of you might be familiar with this attack vector; this subject
> > has been covered very vaguely in the past and none of its full
> > potentials has been explored. The impact of this attack is much bigger
> > today and could affect many web applications.
>
>This is a very interesting vector. However, I would argue that it is
>not a new class of XSS. Generally, the classes have been defined based
>on where the injected data flows from, not how it is injected in the
>page.
>
>For instance, stored or persistent XSS comes from an attacker via one
>communication, gets saved on the server, and is later reproduced to
>another user. Reflected is generally embedded in a link, sent to a
>victim, which a victim then sends to the webserver and is reflected back
>to achieve injection. DOM-based is similar, but does not need to flow
>to the webserver before coming back to get injected. I personally label
>these three classes Type 2, Type 1 and Type 0 respectively, in order to
>reduce confusion about terminology [1].
>
>All three of these scenarios could be used with your injection vector.
>A server side script could store the URL supplied by an attacker, and
>later present it to a victim, thus making it persistent. Similarly, a
>document.write() call could be exploited to inject a data: link, even if
>the typical dangerous characters (', ", <, >, etc) were handled.
>
>Don't get me wrong... I really like the vector, and what you've brought
>to the list. I just don't think it should be considered another class.
>
>cheers,
>tim
>
>
>1. http://en.wikipedia.org/wiki/XSS
>
>-------------------------------------------------------------------------
>Sponsored by: Watchfire
>
>Cross-Site Scripting (XSS) is one of the most common application-level
>attacks that hackers use to sneak into web applications today. This
>whitepaper will discuss how traditional CSS attacks are performed, how to
>secure your site against these attacks and check if your site is protected.
>Cross-Site Scripting Explained - Download this whitepaper today!
>
>https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
>--------------------------------------------------------------------------
>
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
