RE: XSS LAB DEMO IDEAS

From: Dawes, Rogan (ZA - Johannesburg) (rdawes@deloitte.co.za)
Date: Tue Jan 07 2003 - 03:32:28 EST

• Next message: Brewis, Mark: "RE: common criteria draft"
• Previous message: Fernando Martins: "common criteria draft"
• Maybe in reply to: Jeremy Junginger: "XSS LAB DEMO IDEAS"
• Next in thread: Fermín J. Serna: "Re: XSS LAB DEMO IDEAS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

As an example of what one can do with XSS, I was reviewing a banking site
which had the following sequence:

User registers, providing their account details, locations, etc.
The registration is reviewed by a supervisor (different privilege levels),
who contacts the user telephonically to authenticate them, before activating
the account.
The user then logs on, and accesses their accounts.

I was able to insert enough scripting into the personal data to
automatically activate the account as soon as it was viewed, without the
supervisor needing to do it manually. In fact, I was able to become a
supervisor myself, and add any account I liked. Fortunately I caught this
one in the testing phase :-)

That sort of thing can make quite a powerful demonstration of why input
filtering (more correctly, OUTPUT filtering) is so important.

Rogan

-----Original Message-----
From: Jeremy Junginger [mailto:jj@act.com]
Sent: 06 January 2003 07:01 PM
To: pen-test
Subject: XSS LAB DEMO IDEAS

After reading the papers by iDefense and the paper at
http://www.technicalinfo.net/papers/CSS.html , I would like to put a
working example together to familiarize our web developers with XSS
vulnerabilities and their impact on the web site (and business). I
would like to poll the group for interesting ways to demonstrate these
vulnerabilities in a lab environment. Thanks for taking the time to
give your input.

-Jeremy

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Brewis, Mark: "RE: common criteria draft"
• Previous message: Fernando Martins: "common criteria draft"
• Maybe in reply to: Jeremy Junginger: "XSS LAB DEMO IDEAS"
• Next in thread: Fermín J. Serna: "Re: XSS LAB DEMO IDEAS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:26 EDT