[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Non-Lame XSS Vulnerability - Analog-X Proxy
- To: full-disclosure@lists.netsys.com
- Subject: [Full-Disclosure] Non-Lame XSS Vulnerability - Analog-X Proxy
- From: Chris Sharp <illectro2001@yahoo.com>
- Date: Mon, 25 Aug 2003 11:09:35 -0700 (PDT)
How about this for a halfway useful XSS issue,
analog-X proxy includes an HTTP proxy, when a domain
fails a DNS lookup it will return an error page with
the failed domain name in it.
OK great so we can steal cookies from any web page on
the internet providing it doesn't resolve. Not a lot
of use I hear you say. OK maybe you can take down a
nameserver long enough to steal cookies from some
site, how.... Unelegant.
But, the real trick is when you compare the URL
parsing of MSIE and AnalogX - say with a URL like....
http://www.yahoo.com<script>alert(document.cookie)</script>
well MSIE thinks that this is for the domain
www.yahoo.com, and so it uses the cookies from that
domain. However AnalogX thinks that this is for the
domain
www.yahoo.com<script>alert(document.cookie)</script>
Unless you have very fucked up DNS this won't resolve
to anything and AnalogX will return an error page
containing the script.
Now if you're a smart hacker you can create a chain of
redirects using your server and the XSS urls, bounce
the target to a whole host of urls and steal all their
cookies, find those Domains for which the user has
set low security settings and exploit these if you
like. Or whatever you want to accomplish with your
newfound global XSS prowess.
Chris Sharp
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html