AppSecLive.org

Before I go into the actual subject matter of my blog post today, I wanted to see if anyone else noticed that http://www.thedarkvisitor.com/ is down, and has been for about a week or so. I actually read Scott's book, here: http://www.lulu.com/content/1345238 and it was a pretty good history lesson on Chinese hacking. Scott has been doing research on Chinese hacking for a long time and has provided some great insight into the inner workings of the eastern hacker subculture. Anyway, its a shame to see it go away and if anyone has any info on it, I'd love to hear it.
 
 
On to the main event! I want to drudge up a topic that everyone has beaten to death: Cross-site Scripting.
Now before you close this tab, let me explain. I want to talk about XSS methods, and why some of them are worse than others. So my hope is that this is actually a fresh look at an old topic.
This was brought up around work because there are probably a dozen or more variations of reflexive XSS, many of them so difficult to actually execute, that we are considering reducing the overall risk rating to a Medium or Low. Take this example:
 
 
Request

GET /a/b/c/d.jsp HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: SESSIONID=62307aaa94157d557d32fd3c4</script><script>alert(xss)</script>ba07912d0c7; CFID=33932; CFTOKEN=40983b7ca2f86ef0-240A3F24-E7FB-3F54-4A0A61A465EB96A8

Response

HTTP/1.1 200 OK
Date: Thu, 29 Jan 2009 20:47:55 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: SESSIONID=62307aaa94157d557d32fd3c4</script><script>alert(xss)</script>ba07912d0c7;path=/
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<script type="text/javascript">var _jsessionid = '62307aaa94157d557d32fd3c4</script><script>alert(xss)</script>ba07912d0c7';</script>
...[SNIP]...

Now, there is no doubt that this screams Reflexive XSS, but how bad is it __really__?
 
Lets break it down:
 

1. User gets cookie
2. Something locally or MitM poisons the cookie with XSS flavors
3. Server echoes back poised cookie value containing XSS

 
So two things have to happen here. The cookie must be modified, and the server must echo it back.
 
In this particular case, we are on HTTP, and the cookie is not set to secure (or HTTPonly), but that doesn't really matter anyway. The real question is this:
 
What malware poisons cookies? (well, my PoC malware does!!)
 
Yes, so the user could do it, but that would be silly because the rXSS would just affect them.
 
Here is why I say this is still a major issue....
 
Where do you typically see session Ids? Well they are often transported in the URL, something that raises the danger level of rXSS poisoned cookies and session Ids. Don't believe me? Click here:
 
http://www.dpmsinc.com/photo.aspx?path=http://appseclive.org/sites/default/files/u3/brad_dancing.gif
 
Yes, thats really me. =)
 
Also, depending on the application, they are stored in the back-end database for tracking or key purposes. Now you've got potential SQLi or even stored XSS somewhere else in the application.
 
So, yes, rXSS, no matter what vector used, can still be dangerous.
 
Got an opinion? Post a comment!!!!
 
-Brad