-
Cross-site hacks and the art of self defence
Generally, browsers stop cross-site communication by following the "same-origin policy". This rule is pretty simple: if your site has a different origin – protocol, domain, and port don’t all match – you aren’t allowed to access information from or send requests to the other site. Without this simple rule, there would be no security on…
-
Whitepaper: Bypassing ASP .NET “ValidateRequest” for Script Injection Attacks
Richard Brain has published a whitepaper on bypassing .NET XSS protection. "The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest [1] setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation attacks such as…
-
Tools: Grendel Scanner a new Web Application Security Scanner
While attending defcon I got to check out a talk on a new web application security scanner called Grendel scanner. For those of you who don’t know I used to work at spi dynamics on the webinspect product (now part of HP) and I got to say it is one of the more impressive looking…
-
Rich data: the dark side to Web 2.0 applications
"All web applications allow some form of rich data, but that rich data has become a key part of Web 2.0. Data is "rich" if it allows markup, special characters, images, formatting, and other complex syntax. This richness allows users create new and innovative content and services. Unfortunately, richness affords attackers an unprecedented opportunity to…
-
Microsoft outlines extensive IE8 security improvements
Microsoft has posted a very extensive article outling the security improvements to IE8. Improvements have been made to the following area's. – Cross-Site-Scripting Defenses – Safer Mashups (HTML and JSON Sanitization) – MIME-Handling Changes (Restrict Upsniff and Sniffing Opt-Out) – Add-on Security – Protected Mode – Application Protocol Prompt – File Upload Control – Social…
-
JavaScript Code Flow Manipulation, and a real world example advisory – Adobe Flex 3 Dom-Based XSS
"We recently researched an interesting DOM-based XSS vulnerability in Adobe Flex 3 applications that exploits a scenario in which two frames (parent & son) interact with each other, without properly validating their execution environment. In our research, we have seen that in some cases, it is possible to manipulate JavaScript code flow, by controlling the…
-
Barack Obama site XSSed, redirected to Hillary’s website
"Yes Cross Site Scripting (XSS) errors are all over the place. And YES they can affect very prominent web sites. The discussion forum area on Barackobama.com is allegedly the victim of a XSS exploit that redirected comments from Obama's site to….HillaryClinton.com. A hacker going by the alias of 'Mox' has claimed responsibility for the exploit.…
-
XSS in ISP ad page allows compromise of any website
"When users visit a website like Wired.com, the DNS system maps the domain name into an IP address such as 72.246.49.48. But if a particular site does not exist, the DNS server tells the browser that there's no such listing and a simple error message should be displayed. But starting in August 2006, Earthlink instead…
-
Blackhat SEO: XSS the trick that keeps on kicking
"Last week's massive IFRAME injection attack is slowly turning into a what looks like a large scale web application vulnerabilities audit of high profile sites. Following the timely news coverage, Symantec's rating for the attack as medium risk, StopBadware commenting on XP Antivirus 2008, and US-CERT issuing a warning about the incident, after another week…
-
Orkut Worm v2.0
"The Scrapkut worm uses active code injection to spread between victims and their friends on Orkut. The malicious code appears on a victim’s scrapbook, containing a link to a supposed YouTube video. People who click on the link are redirected to an external site hosting malware that's disguised as a Flash upgrade. Users duped into…
-
Italian Bank XSS utilized by fraudsters
"An extremely convincing phishing attack is using a cross-site scripting vulnerability on an Italian Bank's own website to attempt to steal customers' bank account details. Fraudsters are currently sending phishing mails which use a specially-crafted URL to inject a modified login form onto the bank's login page. The vulnerable page is served over SSL with…
-
XSS Vulnerabilities in Common Shockwave Flash Files
Rich Cannings has published an advisory on the Web Security Mailing List describing a flaw on common flash authoring tools allowing for XSS. From his advisory "THE PROBLEM Many web authoring tools that automatically generate SWFs insert identical and vulnerable ActionScript into all saved SWFs or necessary controller SWFs (think of tools that "save as…
-
Orkut XSS worm in the wild
According to ISC orkut has been striken with a persistant XSS worm via the user profiles. Will be updating this as new information breaks so stay tuned! So far no news at the orkut blog UPDATE A few news articles have started to pop up regarding this. "Google's Orkut social networking site appeared to have…
-
Visual Studio Plugin XSSDetect Available To Detect Cross-Site Scripting In Your Code
"One of the biggest, constant problems we've seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug. It's very common and unfortunately, still an issue we have to deal with in many web applications. Internally, the ACE Team has been…
-
Security details of the upcoming Rails 2.0 release
"Making it even easier to create secure applications out of the box is always a pleasure and with Rails 2.0 we’re doing it from a number of fronts. Most importantly, we now ship we a built-in mechanism for dealing with CRSF attacks. By including a special token in all forms and Ajax requests, you can…
-
Apache 1.3.39, 2.0.61, and 2.2.6 Released to Address XSS Vulnerability in mod_status
A XSS vulnerability has been discovered in apache. "Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection"…
-
New Zealand Herald website defaced via XSS to promote hacker con
"The New Zealand Herald's website fell victim to a page spoofing stunt earlier today, by hackers wanting to publicise their upcoming Kiwicon security conference in November. In this case, the spoofing meant the hackers displayed a parody of a Herald article to users, rather than a real one, when surfers called up an article on…
-
USA Today fun with XSS
clpwn.com has found an XSS vulnerability in USAToday and has been having fun with it to *post* fake news stories. First a description of the group "Hardcore WEB HACKING and 0day browser security stuff from wannabe elite hackers TEAM CLPWN…" Now about the vuln "The underground hacker team CLPWN has exposed a zero-day content injection…
-
Anti XSS using Ajax
"XSS have became a problem that most web developers still suffering from it tell now, simply because however you try hard to validate every user input it only takes a single line of code that prints out the user input without validation to render your whole application vulnerable to XSS attacks and once you are…
-
XSS cross webmail worm
Rosario Valotta writes in to tell us "I realized a PoC of what I define a XWW – Cross webmail worm, based on exploitation of XSS vulnerabilities. Detailed informations and a video can be found at: http://rosario.valotta.googlepages.com/home" Article Link: http://rosario.valotta.googlepages.com/home
-
Cross-Site Scripting: Attackers’ New Favorite Flaw
"For years buffer overflow has been the favorite target of online attackers, but no more: Cross-site scripting is now the biggest culprit That’s the scoop from Mitre Corp., which later this week will release its latest findings about the flaws behind publicly-disclosed vulnerabilities. The number two favorite flaw is SQL injection, says Robert Martin, lead…
-
Article: Beware of the Quiet Ones
"Cross-site scripting (XSS) may be the poster child for what’s wrong with Web security, but an updated vulnerability report from Mitre suggests that two lesser-known attack vectors are quietly growing as well. Mitre has quietly released the final version of its 2006 Common Vulnerabilities and Exposures (CVE) report, which it previewed last fall. As the…
-
Same-Origin Policy Part 1: Why we’re stuck with things like XSS and XSRF/CSRF
"The last few years have seen a constant rise in vulnerabilities like cross-site scripting (XSS), HTTP response splitting, and cross-site request forgery (XSRF or CSRF). While the vectors and exploit of each of these vulnerability classes vary, they all have one common thread. Each of these vulnerabilities exploits trust shared between a user and a…
-
MySpace superworm creator sentenced to probation, community service
"The man responsible for unleashing what is believed to be the first self-propagating cross-site scripting worm has pleaded guilty in Los Angeles Superior Court to charges stemming from his most infamous hacking. Samy Kamkar, who was 19 when he unleashed the attack on MySpace.com in October 2005, was sentenced to three years of probation and…
-
Adobe Client Site Plugin Allows Universal XSS
An XSS issue in adobe acrobat allows you to xss a user against any website hosting a PDF file. UPDATE: Download Acrobat 8 it address this issue to protect yourself. If you host PDF files on a site it has been suggested that you associate the PDF mimetype on your web server to something unknown.…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack