Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
4Activity
0 of .
Results for:
No results containing your search query
P. 1
Xss

Xss

Ratings: (0)|Views: 64|Likes:
Published by api-3849930

More info:

Published by: api-3849930 on Oct 19, 2008
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

03/18/2014

pdf

text

original

Page 1 of 25
Copyright \u00a9 2002, iDEFENSE I nc.
iALERT Whit e Paper \u2013 PUBLI C RELEASE VERSI ON
iALERT White Paper
The Evolution of
Cross-Site Scripting Attacks
By David Endler
iDEFENSE Labs
dendler@idefense.com
May 20, 2002
iDEFENSE I nc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
Main: 703-961-1070
Fax: 703-961-1071
http:/ / www.idefense.com
Copyright \u00a9 2002, iDEFENSE I nc.
\u201cThe Power of I ntelligence\u201d is trademarked by iDEFENSE I nc.
iDEFENSE and iALERT are Service Marks of iDEFENSE I nc.
Page 2 of 25
Copyright \u00a9 2002, iDEFENSE I nc.
iALERT Whit e Paper \u2013 PUBLI C RELEASE VERSI ON
TABLE OF CONTENTS

TABLE OF CONTENTS.............................................................................................................. 2 ABSTRACT................................................................................................................................... 3 INTRODUCTION......................................................................................................................... 4 CROSS-SITE SCRIPTING.......................................................................................................... 6 A TRADITIONAL XSS POWERED HIJACK.......................................................................... 9 NOW LET\u2019S AUTOMATE IT................................................................................................... 14 CUSTOMIZED FOR AUTOMATED WEBMAIL HIJACKING......................................... 17 SOLUTIONS AND WORKAROUNDS.................................................................................... 20 CONCLUSION............................................................................................................................ 21 RESOURCES.............................................................................................................................. 22 APOLOGIA................................................................................................................................. 23 ACKNOWLEDGEMENTS........................................................................................................ 24 APPENDIX A \u2013 WEBMAIL REFERER SAMPLING........................................................... 25

Page 3 of 25
Copyright \u00a9 2002, iDEFENSE I nc.
iALERT Whit e Paper \u2013 PUBLI C RELEASE VERSI ON
ABSTRACT

It seems today that Cross-Site Scripting (XSS) holes in popular web applications are being
discovered and disclosed at an ever-increasing rate. Just glancing at the Bugtraq security mailing
list archives athttp://online.securityfocus.com/archive/1 over the first half of 2002 shows
countless postings of XSS holes in widely used websites and applications.

The security community has already developed numerous proof-of-concept demonstrations in
which XSS holes in websites such as Hotmail, eBay, and Excite and in software like Apache
Tomcat, Microsoft IIS, Lotus Domino, and IBM Websphere facilitate hijacking of web
application user accounts. Almost all of these scenarios require the involvement of an \u201cactive\u201d
attacker, a person who tries to steal a user\u2019s cookie values at the same time that the user is still
signed in to his web application session. Generally for this to be successful, the attacker must
perform these actions while the user is still signed into the application or else they will receive a
\u201csession expired\u201d error page. It is important to note that most types of conventional security
measures (i.e. firewalls, intrusion detection systems, virus protection, etc.) currently do very little
to detect or protect against these types of attacks.

This paper predicts that fully and semi-automated techniques will aggressively begin to emerge
for targeting and hijacking web applications using XSS, thus eliminating the need for active
human exploitation. Some of these techniques are detailed along with solutions and workarounds
for web application developers and users.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->