DDoSed.com - An IT security information blog » XSS

Cross-Site Framed?

D1m — Wed, 28 Mar 2007 02:59:34 +0000

Have you heard of cross-site framing? The past few days I saw listed on our archive, several websites vulnerable to cross-site framing – listed as frame redirection. I will briefly describe a possible exploitation scenario, concluding with more emphasis on the negative impact that this type of vulnerability can have to the privacy of innocent individuals who are users of the affected websites.

Using google-dorks, the attackers can search for frame scripts allowing the inclusion of any url. This search reveals thousands of results with too many websites vulnerable to cross-site framing:

allinurl:”url=http” “frame”

inurl:frame filetype:asp inurl:”url=”
inurl:frame filetype:aspx inurl:”url=”
inurl:frame filetype:php inurl:”url=”
inurl:frame filetype:cfm inurl:”url=”

inurl:iframe filetype:asp inurl:”url=”
inurl:iframe filetype:aspx inurl:”url=”
inurl:iframe filetype:php inurl:”url=”
inurl:iframe filetype:cfm inurl:”url=”

allinurl:http frame.asp
allinurl:http frame.aspx
allinurl:http frame.php
allinurl:http frame.cfm

allinurl:frame.php?url=http
allinurl:frame.asp?url=http

Phishing and other scams are now easier to perform due to cross-site framing.
Having found such frame scripts, allows the attackers to include a webpage which is hosted somewhere else. This webpage can be designed to look like the original website and can be any cross-platform server-side script. It can contain a fake login form which on submit parses the inputted usernames and passwords and sends them to the attacker’s mailbox in cleartext format.

It is also possible to perform XSS attacks as in most cases there is no filtering of special characters, script or other common tags in the URL parameter.

Daniel Hugh mailed us about a cross-site framing and scripting vulnerability affecting Gov.MT (Official website of the Government of Malta):

Gov.MT with Frame Redirect and XSS

The XSS vulnerabilities affecting websites can also be used to perform frame redirects, but not the contrary. So if you submit a website vulnerable to cross-site framing along with a XSS attack vector, we will publish it as XSS.

The above news were written in order to heighten the awareness of potential privacy threats to users of the web.

You can also access this blog post from XSSed.com – a project I run with Kevin Fernandez.

Here is the link:

http://www.xssed.com/news/26/Cross-site_framed/

Internet Explorer 7: Phishing Using Local Resource Vulnerability

D1m — Thu, 15 Mar 2007 08:56:13 +0000

Aviv Raff has published on his blog an interesting proof of concept of the vulnerability affecting Internet Explorer v7: a cross-site scripting in the navcancl.htm local resource.

This resource is called when the navigation to a page has been canceled, it displays an error message with a link to reload the current page, however the link is not filtered before being used (successful exploitation requires the user to click on the link). The researcher also explains how the browser does not show in the URL the local resource when it is called, this design flaw can thus be combined with the XSS vulnerability to conduct very dangerous phishing attacks.

A PoC is available on the Aviv Raff’s website:
http://www.raffon.net/research/ms/ie/navcancl/cnn.html
For those who do not have Internet Explorer 7, a video is also provided:
http://raffon.net/videos/ie7navcancl.wmv

Original News #1: http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability.aspx by Aviv Raff

Original News #2: http://www.xssed.com/news/23/IE7_users_beware_of_Navigation_Canceled_errors/ by Kevin Fernandez

XSSed.com: What, Who, Why?

D1m — Tue, 06 Mar 2007 13:28:35 +0000

The goals of XSSed.com are to provide informative resources on cross-site scripting(XSS) vulnerabilities and exploitation methodologies, and to archive XSS vulnerable websites for statistic purposes. Mirroring websites is a way to prove to vendors and webmasters that the vulnerability really existed – in case of denial. Users will become more aware on protecting themselves on some websites, as XSS vulnerabilities are mostly targeting the users and not the websites.

XSSed.com is also an attempt to spread education and awareness about XSS to IT professionals and amateurs involved or interested in secure web application development.

The project is run by Kevin Fernandez and Dimitris Pagkalos.
There are still a lot of improvements in the TODO list including the ones listed below:
-RSS feeds.
-Search filters.
-More statistics.
-Submit POST data in the submission page.
-Add public and protected informations with the submitted XSS (more details will soon be available).
-Additional informations will be published on the mirror page (for instance the use of a specific browser to reproduce the vulnerability).

Submitting XSS vulnerable websites, should not be seen as a game for getting the lead in total submissions. Nevertheless we encourage you to submit XSS vulnerable websites for the greater good of a secure web. As RSnake commented on his blog post about XSSed.com, “It’s not who finds the most, it’s about the ease of finding them, the difficulty in stopping them, the various vectors, etc…”. We seriously take in consideration such comments and suggestions for improvements by people with significant experience and expertise in the web application security field.

We call for papers and video tutorials that focus on exploiting XSS vulnerabilities and on preventing them.

Since the launch of XSSed.com, we received many notifications of high-profiled websites that got XSS’ed.

Here is a list of notable XSS’ed websites in the archive:

hushmail.com
youtube.com
members.microsoft.com
netscape.com
*.search.yahoo.com
my.screenname.aol.com
my.imageshack.us
register.go.com
cafepress.com
thawte.com
verisign.com
zonelabs.com
www4.symantec.com
domaintools.com
controlpanel.netfirms.com
2600.com
sun.com
*.globo.com – Famous portal in Brazil
*.mynet.com – Famous portal in Turkey
login.pathfinder.gr – Famous portal in Greece

plus many other “special” websites, including governmental and military…

So far we have had visitors and submitters from – in order of number of visits – Turkey, Italy, United Kingdom, United States, Brazil, France, Russia, Germany, Czech Republic and Pakistan. We would like to thank you for supporting our project.

The XSS attack vectors used on the archived websites, were from RSnake’s XSS cheat sheet.

XSSed.com – Cross-Site Scripting Information And Attacks Archive To Be Launched Soon

D1m — Thu, 08 Feb 2007 14:13:42 +0000

A new website dedicated specifically to cross-site scripting(XSS) vulnerabilities, will soon be launched in BETA mode.

With a no-hat approach, and only for educational purposes, we will receive notifications of websites, web-based services and software applications that have been “XSSed“. When a cross-site scripting vulnerability is submitted – URL poisoning, frame injection and other vulnerabilities that can be exploited against users are also allowed – it will be saved automatically in the on-hold archive until review by our staff.

We classify the archived attacks into special (high-profiled) and not special. You can also view what was their unique Alexa pagerank at the time of submission.

Note: Script insertion vulnerabilities, which can lead to cross-site scripting, can also be used to damage a site by blocking its visual access. Please note that this could represent a crime in many countries and we do not support this action.

The goals of XSSed.com, are to provide helpful information resources on cross-site scripting (XSS) attacks and vulnerabilities, and to archive XSS vulnerable websites for statistic purposes. It is an attempt to spread education and awareness about XSS to IT professionals and amateurs interested in secure web application development.