Page 1 of 1
I don't understand the risk of XSS
Posted: Thu Jun 05, 2008 2:44 pm
by impulse()
I've read quite a few documents now and watched a video and I really don't understand how XSS is an issue. What I understand so far is that Javascript is ran on the clients browser to expose their cookies. But it also seems that a site hosting XSS can only reveal cookies for that particular domain, which the domains has access to anyway.
Am I confusing XSS in thinking that it's somehow possible to create a page that when a user visits it sends all of their cookies, including from other domains cookies, to another addresss.
EG:
Visit
http://www.example.com/stealCookies.php
stealCookies.php fetches ALL cookies from the users browser
stealCookies.php sends those cookies to the attacker.
Re: I don't understand the risk of XSS
Posted: Thu Jun 05, 2008 2:51 pm
by VladSun
No, you can't steal cookies this way because you don't have access to cookies which do not belong to example.com domain. You need to inject a javascript code in the target domain, which when executed in the browser sends (usually by GET) the cookie content to a page in another domain (the attacker's domain).
Re: I don't understand the risk of XSS
Posted: Thu Jun 05, 2008 2:57 pm
by impulse()
So there's 2 example domains:
example1.com
example2.org
example1.com is an attackers domain and example2.org is the domain an attackers wants to steal a users cookies for. Would an attacker need to gain access to example2.org and host a file on there before XSS would work?
Re: I don't understand the risk of XSS
Posted: Thu Jun 05, 2008 3:05 pm
by VladSun
Usually the XSS code is injected by not sanitized inputs/outputs in example2.org.
Re: I don't understand the risk of XSS
Posted: Thu Jun 05, 2008 3:08 pm
by impulse()
That makes a lot more sense. Before you said that it seemed to me that the attacker had to gain unauthorized access to example2.org and host a rogue file on there.
Thanks,
Re: I don't understand the risk of XSS
Posted: Thu Jun 05, 2008 4:04 pm
by Mordred
XSS >> (even >>>>!) cookie stealing
(Hint: ">>" is the math notation for "much much greater")
It is generally an attack on the client. It exploits the trust the client has in the server. Leaking cookies to a 3rd party is only one of the possible concerns. XSS can lead to / be used for defacing, phishing, for a leverage to help CSRF, for a covert communication channel, for (D)DOS, etc. Persistent XSS in a multi-user site means lots of browsers under the control of the attacker, an instant botnet if you will.
It is a serious vulnerability, easy to make, easy to be discovered by the attacker, and potentially damaging to many parties.
Re: I don't understand the risk of XSS
Posted: Thu Jun 05, 2008 5:24 pm
by impulse()
So any website that uses cookies and doesn't validate user input is at risk?
Re: I don't understand the risk of XSS
Posted: Thu Jun 05, 2008 5:35 pm
by VladSun
impulse() wrote:So any website that uses cookies and doesn't validate user input is at risk?
Any website that doesn't validate/filter/sanitize user input is at risk