Comments on: Anatomy of an XSS exploit http://www.lightbluetouchpaper.org/2006/06/13/anatomy-of-an-xss-exploit/ Security Research, Computer Laboratory, University of Cambridge Sun, 27 Jul 2008 09:14:45 +0000 http://wordpress.org/?v=2.5.1 By: miaw http://www.lightbluetouchpaper.org/2006/06/13/anatomy-of-an-xss-exploit/#comment-23824 miaw Fri, 31 Aug 2007 04:25:19 +0000 http://www.lightbluetouchpaper.org/2006/06/13/anatomy-of-an-xss-exploit/#comment-23824 found xss http://www.lightbluetouchpaper.org/index.php?s=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&searchbutton=Go%21 [Thanks for pointing this out. The bug has now been fixed -- Steven Murdoch] found xss
http://www.lightbluetouchpaper.org/index.php?s=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&searchbutton=Go%21

[Thanks for pointing this out. The bug has now been fixed -- Steven Murdoch]

]]> By: Never Tell… » Blog Archive » links for 2006-06-28 http://www.lightbluetouchpaper.org/2006/06/13/anatomy-of-an-xss-exploit/#comment-661 Never Tell… » Blog Archive » links for 2006-06-28 Sun, 02 Jul 2006 16:12:49 +0000 http://www.lightbluetouchpaper.org/2006/06/13/anatomy-of-an-xss-exploit/#comment-661 [...] Light Blue Touchpaper » Anatomy of an XSS exploit (tags: tech security) [...] [...] Light Blue Touchpaper » Anatomy of an XSS exploit (tags: tech security) [...]

]]> By: Andrew van der Stock http://www.lightbluetouchpaper.org/2006/06/13/anatomy-of-an-xss-exploit/#comment-615 Andrew van der Stock Wed, 28 Jun 2006 04:11:08 +0000 http://www.lightbluetouchpaper.org/2006/06/13/anatomy-of-an-xss-exploit/#comment-615 Hi Steven, so you're saying any PHP code which does this: <code> $clean = array(); $html = array(); $clean['userinput'] = trim(strip_tags($_POST['userinput'])); if ( strlen($clean['userinput']) < 3 ) { $html['warning'] = htmlspecialchars($lang['errMsgTooShort'] . $clean['userinput'], ENT_QUOTES, 'UTF-8'); echo "<html><body><script>var text = '{$html['warning']}';</script>"; echo "<script>alert(text);</script></body></html>"; exit; } // continue on... </code> is at risk? What do you need to do to become safe? thanks, Andrew (OWASP Guide author :) Hi Steven,

so you’re saying any PHP code which does this:

$clean = array();
$html = array();

$clean['userinput'] = trim(strip_tags($_POST['userinput']));
if ( strlen($clean['userinput']) < 3 )
{
$html['warning'] = htmlspecialchars($lang['errMsgTooShort'] . $clean['userinput'], ENT_QUOTES, ‘UTF-8′);

echo "<html><body><script>var text = ‘{$html['warning']}’;</script>";
echo "<script>alert(text);</script></body></html>";
exit;
}
// continue on…

is at risk? What do you need to do to become safe?

thanks,
Andrew
(OWASP Guide author :)

]]> By: Light Blue Touchpaper » Oracle attack on Wordpress http://www.lightbluetouchpaper.org/2006/06/13/anatomy-of-an-xss-exploit/#comment-599 Light Blue Touchpaper » Oracle attack on Wordpress Thu, 22 Jun 2006 13:11:00 +0000 http://www.lightbluetouchpaper.org/2006/06/13/anatomy-of-an-xss-exploit/#comment-599 [...] This post describes the second of two vulnerabilities I found in Wordpress. The first, a XSS vulnerability, was described last week. While the vulnerability discussed here is applicable in fewer cases than the previous one, it is an example of a comparatively rare class, oracle attacks, so I think merits further exposition. [...] [...] This post describes the second of two vulnerabilities I found in Wordpress. The first, a XSS vulnerability, was described last week. While the vulnerability discussed here is applicable in fewer cases than the previous one, it is an example of a comparatively rare class, oracle attacks, so I think merits further exposition. [...]

]]> By: Steven J. Murdoch http://www.lightbluetouchpaper.org/2006/06/13/anatomy-of-an-xss-exploit/#comment-589 Steven J. Murdoch Thu, 15 Jun 2006 13:20:33 +0000 http://www.lightbluetouchpaper.org/2006/06/13/anatomy-of-an-xss-exploit/#comment-589 @Dave Armstrong Thanks for the pointer. I do know of some XSS worms (see comment 1), but the one I suggested is slightly different. It uses XSS as the infection vector, but propagation and payload code are run on the server. This reduces applicability to software like Wordpress which allows XSS to server compromise escalation, but the payload can do more (e.g. botnet creation). A pure XSS worm might be possible with Wordpress, but the two limitations we found were the 255 character limit on author name, and the variety of ways themes render the blogroll. We couldn't see an easy way to find blogs to attack next, based only on the DOM tree in ~240 bytes of Javascript. However, if you can run PHP, the list can be trivially sucked from the database. @Dave Armstrong

Thanks for the pointer.

I do know of some XSS worms (see comment 1), but the one I suggested is slightly different. It uses XSS as the infection vector, but propagation and payload code are run on the server. This reduces applicability to software like Wordpress which allows XSS to server compromise escalation, but the payload can do more (e.g. botnet creation).

A pure XSS worm might be possible with Wordpress, but the two limitations we found were the 255 character limit on author name, and the variety of ways themes render the blogroll. We couldn’t see an easy way to find blogs to attack next, based only on the DOM tree in ~240 bytes of Javascript. However, if you can run PHP, the list can be trivially sucked from the database.

]]> By: Dave Armstrong http://www.lightbluetouchpaper.org/2006/06/13/anatomy-of-an-xss-exploit/#comment-588 Dave Armstrong Thu, 15 Jun 2006 12:55:09 +0000 http://www.lightbluetouchpaper.org/2006/06/13/anatomy-of-an-xss-exploit/#comment-588 XSS/Javascript worms are not a new concept: http://www.bindshell.net/papers/xssv XSS/Javascript worms are not a new concept:

http://www.bindshell.net/papers/xssv

]]> By: Steven J. Murdoch http://www.lightbluetouchpaper.org/2006/06/13/anatomy-of-an-xss-exploit/#comment-575 Steven J. Murdoch Tue, 13 Jun 2006 11:08:02 +0000 http://www.lightbluetouchpaper.org/2006/06/13/anatomy-of-an-xss-exploit/#comment-575 <blockquote>There has been a PHP worm before, but I don’t know of any XSS based ones.</blockquote> Just a few hours ago, F-secure <a href="http://www.f-secure.com/v-descs/yamanner_a.shtml rel="nofollow" rel="nofollow" rel="nofollow" rel="nofollow">blogged about</a> a Javascript worm. Although there aren't many details, it looks like it's exploiting an XSS bug in Yahoo Mail. This also reminded me of the <a href="http://www.theregister.co.uk/2005/10/17/web20_worm_knocks_out_myspaces/" rel="nofollow" rel="nofollow">MySpace worm</a>. I still am not aware of any worm which runs code both on the server and client, which would be the likely operation of my hypothesised Wordpress XSS one.

There has been a PHP worm before, but I don’t know of any XSS based ones.

Just a few hours ago, F-secure blogged about a Javascript worm. Although there aren’t many details, it looks like it’s exploiting an XSS bug in Yahoo Mail. This also reminded me of the MySpace worm.

I still am not aware of any worm which runs code both on the server and client, which would be the likely operation of my hypothesised Wordpress XSS one.

]]>