Archive for October 2006
At the simplest level, fragmentation attacks are possible when several fragments, which are by themselves not a security risk and can therefore be allowed to pass through a filter or firewall, but when the fragments reach their destination the fragments are combined and produce something dangerous.
The actual exploit is using <body foo=’ in your “Music Interests” box for your profile.
It then puts everything splitting the Music and Film sections into the foo attribute. In the Movies section of your interests you put ‘ onLoad=’alert(“xss”);> This turns out something like this.
Live code. Uses Malucs CSRF of changing your Preferred language to french.
Earlier today, on the sla.ckers.org forums, there was mention of virtual machines, anti-phishing toolbars and XSS. This got me to thinking about what users could do to protect themselves from phishing and other XSS-induced troubles. Now, a virtual machine may protect from virus’, but it does nothing for XSS. The cookies for your virtual machines browser are still accessible from within that virtual machine. RSnake mentioned it could prevent Intranet scanning. So, perhaps they could be used in a corporate setting. As I said on the forums…
I would browse inside from a virtual machine, but if it’s a virus, I will reformat. If it’s XSS, my info is gone anyways.
But what about other protection? Firefox 2.0 has an anti-phishing feature. How does this work exactly?
Phishing Protection is turned on by default in Firefox 2, and works by checking the sites that you browse to against a list of known phishing sites. This list is automatically downloaded and regularly updated within Firefox 2 when the Phishing Protection feature is enabled. Since phishing attacks can occur very quickly, there’s also an option to check the sites you browse to against an online service such as Google for more up-to-date protection. This enhanced capability can be turned on via the Security preferences pane.
So, basically it checks the domain against a list of known phishing sites. Great!, but again, does nothing against XSS. A site vulnerable to XSS that you regularly browse will be seen as a non-phishing site due to the domain name. ( site.com/search/<xss> ) but the script will still execute and your information, again, is lost! A great feature, against normal phishing attempts.
So, perhaps at the browser level? Nope. Not there. The only one even close is Opera. It detects invalid domain characters in the address bar. But they seem to have no interest in expanding the ‘feature’ to hinder XSS. I suggested it to the MozillaZine community, even with help from RSnake and they didn’t exactly jump onto the idea either.
So, it boils down to this simple fact. For now, we are totally dependant on web developers to be aware of the security risks and use good development practices.