Comments on: Self-contained XSS Attacks

By: A bag full of tricks | GNUCITIZEN

A bag full of tricks | GNUCITIZEN — Fri, 02 Jan 2009 10:08:22 +0000

[...] too long ago I presented a technique that can be used to compose self-contained html pages. Apart from the most obvious use [...]

By: john

john — Tue, 13 Mar 2007 23:20:44 +0000

nice

By: Life of an OWASP Chapter Leader » Blog Archive » JavaScript Badware

Life of an OWASP Chapter Leader » Blog Archive » JavaScript Badware — Thu, 22 Feb 2007 19:41:08 +0000

[...] What worries me are the next stages. Recently XSS was the attack vector discovered in Google’s popular Desktop Search. One of the tools referenced in the research paper is the XSS proxy tool. This reminded me of the post by PDP on persistent XSS, stating “Persistent XSS is more dangerous since it allow attackers to control exploited clients for longer”. [...]

By: Kishor

Kishor — Wed, 11 Oct 2006 06:31:29 +0000

This is how Orkut thing could have happened http://wasjournal.blogspot.com.....ector.html

By: pdp

pdp — Mon, 09 Oct 2006 09:28:23 +0000

My original tests were a failure but now when you are saying that it is possible I must have a second look at this issue. Thanks, man.

By: Kishor

Kishor — Mon, 09 Oct 2006 08:48:22 +0000

I’m able to read cookies using this technique! Not directly but certainly possible. MustLive is right

By: Kishor

Kishor — Mon, 09 Oct 2006 08:27:08 +0000

pdp,

Unfortunately I do not have the HTML stored, because they fixed it too quickly. Fortunately I had taken this snapshot. But I’m sure many Indians have seen that flag that day. URL decoded version looks like this

http://www.orkut.com/">



By: pdp
pdp — Mon, 09 Oct 2006 02:16:22 +0000
Kishor, that is quite interesting but it will be even more if we can see some HTML. :)



By: Kishor
Kishor — Fri, 06 Oct 2006 18:01:59 +0000
Not sure under what topic should I put this.

http://wasjournal.blogspot.com.....d-www.html



By: MustLive
MustLive — Fri, 29 Sep 2006 15:01:54 +0000
pdp and RSnake. Why do you think, that cookies theft don’t work with this attack vector. As I tested the alert(document.cookie) script is working fine and you may see cookie (and so you may steal it).
You just need to put a link with appropriate (encrypted) data in href attribute on site. And than cookies tricks will be possible in current domain.



By: matthewtheexploit
matthewtheexploit — Tue, 26 Sep 2006 01:29:56 +0000
heh nice guys, i’ve known about this for a while, didnt think it would work for other applications, nice jobb i love your guy’s work at this site :)



By: pdp
pdp — Sat, 23 Sep 2006 12:35:28 +0000
Hi superlone,
As far as I know IE6 and IE7 does not support data URLs. However, I believe that this is quite useful feature that could benefit many AJAX applications. I won’t be surprised if Microsoft implements data URLs or similar mechanism some day.
Again, although it is quite useful, keep in mind that this can be used in very bad ways.



By: superlone
superlone — Sat, 23 Sep 2006 11:24:26 +0000
this is very useful and helpful article.But i have one question,the uri like this:

data:text/html;base64,PHNjcmlwdD4NCmFsZXJ0KCJTZWxmLWNvbnRhaW5lZCBYU1MiKTsNCjwvc2NyaXB0Pg==

can it work on IE?i really want to know,thanks!


By: manus
manus — Sat, 23 Sep 2006 02:14:04 +0000
This reminds me of the old functionality (now disabled) in Netscape’s about: “protocol”.  Circa ’98 I used to set the start pages on my high school’s machines to “about:Hi [the admin's name]!” or something stupid like that.
Also see http://www.guninski.com/netscape.html



By: pagvac
pagvac — Fri, 22 Sep 2006 22:36:36 +0000
Nice work pdp! Another reminder that we shouldn’t trust anything when we go online.
Here is my personal recipe for those users that are paranoid:
- go online using restricted-user privileges

- use a browser extension which allows you to whitelist which domains are allowed to run scripting (i.e.: Firefox’s NoScript)

- use common sense!
Will keep checking your site regularly pdp!



By: David Kierznowski
David Kierznowski — Fri, 22 Sep 2006 20:37:31 +0000
RSnake, I didn’t even know this attack vector was in your cheat sheet and I have been through it loads of times – A table of contents might be cool.
pdp, cool paper.. I think this area needed additional light and explanation.
I would like to think that any half decent application filter should be able to decode base64 and check it for script tags, but heck, who am I kidding :)



By: pdp
pdp — Fri, 22 Sep 2006 18:48:42 +0000
Hi Denver,
I stated that it doesn’t work in IE6 and IE7. I don’t quite agree that it is harmless for reasons I have already discussed in this post.



By: Blad3
Blad3 — Fri, 22 Sep 2006 17:36:26 +0000
RSnake, would you like to describe in more detaila what do you mean with “building CSRF tools”. CSRF – cross site request forgery – I suppose.
Thanks



By: Denver
Denver — Fri, 22 Sep 2006 16:38:00 +0000
this is not work in IE.6.0

data:text/html;base64,PHNjcmlwdD4NCmFsZXJ0KCJTZWxmLWNvbnRhaW5lZCBYU1MiKTsNCjwvc2NyaXB0Pg==

The browser shows that "the page can not be displayed". Even if it works, all this is harmless, just useless tricks.. I cannot get remote control, cannnot install files remotely, cannot change/delete html pages..


By: pdp
pdp — Fri, 22 Sep 2006 16:07:15 +0000
RSnake,
I am not claiming it is new. In fact I clearly stated in my post that some of you may already be familiar with it. Apparently you are.
To be honest with you, cookie theft is probably one of least things I am interested in. Data URLs are brilliant for enabling very powerful attacks. I am surprised that they have been covered so vaguely in past. There is so much potential in them.
I am quite concerned about JavaScript tools being able to assemble PDF and DOC documents on the fly. What about worms that carry their payloads in a single URL? IMHO this is a serious security issue.