[cgiapp] XSS

Barry Moore barry.moore at genetics.utah.edu
Fri Feb 8 17:49:35 EST 2008 

Thanks Michael - that helps clear things up for me.

B

On Feb 8, 2008, at 8:40 AM, Michael Peters wrote:

> Barry Moore wrote:
>
>> Basically one version of an XSS attack would be for me to enter
>> javascript code into a form on your web page.  Then if you include my
>> form submission in other web pages then my javascript could  
>> execute on
>> any other users machine that subsequently loaded those tainted pages.
>> My JS code could do anything that they could do including contact  
>> your
>> server on behalf of them and send data back to my server.  Is this  
>> correct?
>
> Yes. This is what XSS means. There are variations on this, but it's  
> bascially
> the same thing.
>
>> Then the rational for you to html escape any input that comes from me
>> and any other user is because that escaping would render the JS code
>> in-operable.  Is that correct?
>
> Yes. Imagine you have a form that asks me a survey question and I  
> enter my name as:
>   Michael <script>alert("p0wnd!")</script> Peters.
>
> Then you log into the admin side of you application and see my  
> survey result.
> You will get p0wnd. Now imagine that I instead of doing a simple  
> alert() I
> inserted a <script> tag that pulls in some JS from my own server  
> which adds some
> helpful (to me, not you) methods into your page that makes it  
> really easy for me
> to get your cookie information and then sends it back to my server.  
> Now I can
> log in to your admin side and do whatever I want.
>
>> So then is is safe to assume that if the data from your form never  
>> gets
>> sent back to other users (i.e. it only gets analyzed by your server -
>> such as a search form) or if you check for JS code in some other way,
>> then that would also prevent this form of XSS?
>
> No. Imagine this scenario: I use your search form and input some  
> malicious
> Javascript. Now I can steal my own information. Not really  
> useful... yet. I
> create a URL that will take me to that results page. Something like
> http://coolsite.com/search?term=%3Cscript%3Ealert(%22p0wnd!%22)%3C% 
> 2Fscript%3E
> and I post it in some forum or email group (like this one) and  
> people click on
> it. Now I have their information.
>
> --
> Michael Peters
> Developer
> Plus Three, LP
>
>
> #####  CGI::Application community mailing list  ################
> ##                                                            ##
> ##  To unsubscribe, or change your message delivery options,  ##
> ##  visit:  http://lists.openlib.org/mailman/listinfo/cgiapp    ##
> ##                                                            ##
> ##  Web archive:   http://lists.openlib.org/pipermail/cgiapp/   ##
> ##  Wiki:          http://cgiapp.erlbaum.net/                 ##
> ##                                                            ##
> ################################################################
>

More information about the cgiapp mailing list