Cross site scripting 
Author Message
 Cross site scripting

    I took a second look at some of the Microsoft documents warning against
Cross Site Scripting attacks. I tried to write a script that would do
something malicious on the server, but could not do anything without using
the Execute() method in my ASP page. Is it the case that in order for these
attacks to work, the attacked page needs to contain this method?

--
Randall Loffelmacher



Fri, 27 Dec 2002 03:00:00 GMT  
 Cross site scripting
    Okay...I've come to an epiphany with this problem. I thought that this
was not a serious security issue. Now I am of a completely different
opinion. I thought that it was not serious because I was unable to do
anything to the server without using the Execute() method.
    But it is very, very easy to muck up a client machine. All that you need
to do is something like this. A visitor to your site makes an entry in the
guestbook or bulletin board. It's got to be a section of the website that
accepts forms from users and posts their input to pages that everyone can
access. Rather than some form that is password protected for select users
(one hopes you can trust those people with passwords)...If this malicious
user enters some text like this:
<SCRIPT LANGUAGE="VBScript">
    Dim objFSO
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    objFSO.deleteFile("C:\*")
</SCRIPT>
I believe that the example above won't run on a client machine...wrong
syntax. I am not familiar with client-side VBScripting. But I think that the
script above demonstrates my point. It is (I presume) easy to write a
client-side VBScript embedded in a web page that will delete files. This
does not affect the servers, but will delete the entire hard drive of anyone
that views the bulletin board/guestbook page...if they have IE and are
stupid enough to allow the script to run.

Randy


Quote:
>     I took a second look at some of the Microsoft documents warning
against
> Cross Site Scripting attacks. I tried to write a script that would do
> something malicious on the server, but could not do anything without using
> the Execute() method in my ASP page. Is it the case that in order for
these
> attacks to work, the attacked page needs to contain this method?

> --
> Randall Loffelmacher




Sat, 28 Dec 2002 03:00:00 GMT  
 Cross site scripting

I found the Microsoft documents to be very non-specific regarding this
security issue. I followed a link to a CERT page that talks about this
security problem and it gives a much more in-depth discussion of the problem
and the solution. Here's the URL:
http://www.cert.org/advisories/CA-2000-02.html

Randy


Quote:
>     Okay...I've come to an epiphany with this problem. I thought that this
> was not a serious security issue. Now I am of a completely different
> opinion. I thought that it was not serious because I was unable to do
> anything to the server without using the Execute() method.
>     But it is very, very easy to muck up a client machine. All that you
need
> to do is something like this. A visitor to your site makes an entry in the
> guestbook or bulletin board. It's got to be a section of the website that
> accepts forms from users and posts their input to pages that everyone can
> access. Rather than some form that is password protected for select users
> (one hopes you can trust those people with passwords)...If this malicious
> user enters some text like this:
> <SCRIPT LANGUAGE="VBSCRIPT">
>     Dim objFSO
>     Set objFSO = CreateObject("Scripting.FileSystemObject")
>     objFSO.deleteFile("C:\*")
> </SCRIPT>
> I believe that the example above won't run on a client machine...wrong
> syntax. I am not familiar with client-side VBScripting. But I think that
the
> script above demonstrates my point. It is (I presume) easy to write a
> client-side VBScript embedded in a web page that will delete files. This
> does not affect the servers, but will delete the entire hard drive of
anyone
> that views the bulletin board/guestbook page...if they have IE and are
> stupid enough to allow the script to run.

> Randy



> >     I took a second look at some of the Microsoft documents warning
> against
> > Cross Site Scripting attacks. I tried to write a script that would do
> > something malicious on the server, but could not do anything without
using
> > the Execute() method in my ASP page. Is it the case that in order for
> these
> > attacks to work, the attacked page needs to contain this method?

> > --
> > Randall Loffelmacher




Sat, 28 Dec 2002 03:00:00 GMT  
 
 [ 3 post ] 

 Relevant Pages 

1. FYI - New Web Site Security Issue - Cross Site Scripting Vulnerability

2. FYI - New Web Site Security Issue - Cross Site Scripting Vulnerability

3. FYI - New Web Site Security Issue - Cross Site Scripting Vulnerability

4. Cross Site Scripting

5. cross-frame, cross-domain script access denial

6. How to reset password on all DCs cross sites

7. Cross-browser compatibility site

8. Southern Cross Visual Basic Code and Links - Site Update

9. Southern Cross Visual Basic Code and Links - Site Update

10. Southern Cross Visual Basic Code and Links - Site Update

11. Southern Cross Visual Basic Code and Links - Site Update

12. cross-frame/cross-domain text selection

 

 
Powered by phpBB® Forum Software