tag:blogger.com,1999:blog-13756280.post8239211787516209485..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Converting unimplementable Cookie-based XSS to a persistent attackJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-13756280.post-76622017892141663342010-12-01T05:09:09.738-08:002010-12-01T05:09:09.738-08:00By inserting your sessionID into someone else'...By inserting your sessionID into someone else's cookie you can log them into your own account, which is useful if the site uses CSRF tokens has persistent XSS on a page only the account owner can see. Blogger had this flaw quite recently.albinonoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-83192764697297906442010-02-16T07:51:55.413-08:002010-02-16T07:51:55.413-08:00If the host is vulnerable to HTTP Response Splitti...If the host is vulnerable to HTTP Response Splitting: injecting a Set-Cookie header could also be used to exploit this.i0nullhttps://www.blogger.com/profile/03371710586295674457noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-11386305702138759712010-02-04T18:05:06.574-08:002010-02-04T18:05:06.574-08:00Nice.
One other tiny thing to keep in mind: Whene...Nice.<br /><br />One other tiny thing to keep in mind: Whenever there's a cookie-based XSS, don't forget to try just sticking the cookie name/value as a query-string parameter instead. Lots of lazy coders do things like Request["username"] (in ASP.NET, for instance), which will pull the data no matter whether it's coming from from a cookie, or from a query-string parameter, or from a form variable, or...Simon Zuckerbraunhttps://twitter.com/HexKitchennoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-42792857568141566862010-02-04T14:27:34.625-08:002010-02-04T14:27:34.625-08:00@Jeremiah thanks for the clarification.
The DNS R...@Jeremiah thanks for the clarification.<br /><br />The DNS Rebinding attack would work to exploit the cookie-based XSS, but I'm not sure about it remaining persistent (in the manner you describe) due to the nature of DNS Rebinding. The cookie containing the XSS payload will be bound to the domain used to perform the DNS Rebinding attack (evil.com) but can't be bound to the domain that corresponds to the vulnerable site (victim.com). So if the user directly loads victim.com our cookie with the XSS payload won't be sent :(<br /><br />In any case, all these methods show that cookie-based XSS issues need to be dealt with just like any other XSS.nickhackshttp://twitter.com/nickhacksnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-56310452437278653112010-02-04T13:55:14.406-08:002010-02-04T13:55:14.406-08:00@nickhacks in this case the persistence comes in b...@nickhacks in this case the persistence comes in because the victims browser would be storing the payload in the cookies across multiple sessions. Unless the Web application steps on the username parameter in the cookie at some later point, you are golden. <br /><br />I also think your inclination about DNS rebinding here is correct. You could use such an attack to load the JavaScript into the cookie.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-12267250766006889362010-02-04T13:40:25.802-08:002010-02-04T13:40:25.802-08:00After I read this, my initial response was to sugg...After I read this, my initial response was to suggest using DNS Rebinding to set up the XSS attack through the cookie - but after giving it further thought I realized that this wouldn't work because of the problem of switching domains.<br /><br />This may all depend on the specific architecture of the application tho. By persistent do you mean that the XSS payload in the cookie will remain in the user's browser across multiple sessions or is the XSS payload actually being stored in the application itself?<br /><br />If the XSS payload in the cookie became stored by the application and let to a persistent XSS, then DNS Rebinding might actually work to set this up.<br /><br />Anyways, RSnake covered some cookie-based XSS attacks using DNS Rebinding that you might find interesting if you haven't seen them already: http://ha.ckers.org/blog/20090120/persistent-cookies-and-dns-rebinding-redux/nickhackshttp://twitter.com/nickhacksnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-20858664972376483462010-02-04T13:24:41.110-08:002010-02-04T13:24:41.110-08:00There was a similar bug in Blogger ages ago. It wa...There was a similar bug in Blogger ages ago. It was CSRF + Cookies Based XSS though : http://www.derkeiler.com/Mailing-Lists/VulnWatch/2004-03/0017.html<br /><br />Also it's always matter of time that a 3rd party component like Flash will mess it up again (or another client-side vulnerability) and allow attackers to set cookies for other domains.Ferruh Mavitunanoreply@blogger.com