Libwebdev

Navigation

Skip navigation.

Search

Site navigation

Email conversation

FromLibwebdev
ToMe
SubjectSeeking clarification of your description of XSS
Date15 February 2007 00:34
Your article on XSS had me enthralled, and is the most easily understood
explanation that I've found.

Would you mind clarifying:
When you say "... imagine that you have logged into site A, and that site
has used a session cookie to store your identity"  ... does this mean that
XSS can ONLY occur if I'm "logged in" at a site, so that just visiting a
site poses no threat?

I ask because there have been reports of XSS occurring on YouTube recently,
and the IT department at my place of work have recently banned access to
that site because of it. I work in a medical library, and wish to see
library-related material that other libraries have posted to YouTube, but my
IT insist that YouTube is vulnerable. I think that's bs. :)

So, short version (I know you're hella busy): can one be affected by XSS
simply by visiting a vulnerable site without being logged in?

thanks,

lib.
FromMe
ToLibwebdev
SubjectRe: Seeking clarification of your description of XSS
Date17 February 2007 22:53
lib,

> does this mean that
> XSS can ONLY occur if I'm "logged in" at a site, so that just visiting a
> site poses no threat?

The simple answer is that yes, in most cases, the maximum damage can be
achieved on sites where you are logged in, or handing sensitive information
to the site, such as a shopping site, bank, or blog/forum.

However, that is not the only way this could become a problem. For example,
your IT dept may have a policy relating to trusted sites - such as only
allowing Internet Explorer to use plugins on certain trusted sites due to
the well documented risks of allowing ActiveX globally. If a site is
vulnerable to XSS attacks, someone could place dangerous ActiveX plugin
content on an otherwise trusted site.

Or maybe they could put some incorrect information on the site recommending
you do something that the site author disagrees with - such as putting a
message on my site recommending to people that they use Netscape 4,
something I would never do. Or perhaps display something on a page of the
site that you did not expect to see there, perhaps point you to a seemingly
harmless page on the site that ends up displaying a pornographic video that
is not permitted for display at work (although there are a number of more
easy ways to achieve this on that particular site, but it is a simple
example of a relatively harmless exploit).

In the case of YouTube, to my knowledge (though I have not looked in detail)
the problem was actually related to users who were logged in to their
profile and blog. Unless your IT dept actually has such a policy, if you do
not use profiles or blogs on the site, it is unlikely that there is a real
problem with you using the site.

However, of course, your IT dept may actually know about a specific exploit
that I am not aware of, and they may well have a good reason for their
policy. If they do have an example of something that can be exploited in a
dangerous way, without you needing to be logged into the site, or use its
blogs or profiles, I would be very interested to hear about it.


Mark 'Tarquin' Wilton-Jones - author of http://www.howtocreate.co.uk/
FromLibwebdev
ToMe
SubjectRe: Seeking clarification of your description of XSS
Date18 February 2007 23:22
Hello Tarquin,

I can't thank you enough for your speedy reply and thorough explanation.

I can assure you, there is nothing whatsoever that my IT dept could possibly
know beyond what you have stated on your site and in this email. Their
paranoia is beyond belief, and their ignorance is sometimes astounding. I
use Firefox, and had to battle them to do so. They scream "security risk"
every time I want to do something (like use a secure browser), and yet they
rely on Microsoft products exclusively (though they exercise no such control
over IE as you describe here) and think YouTube is dangerous.

Thank you again for your time.
regards,
lib.
This site was created by Mark "Tarquin" Wilton-Jones.
Don't click this link unless you want to be banned from our site.