Sunday, March 6, 2011

Submarined XSS - DEMO

I made demonstration webpage for the XSS I described as a submarined XSS in the previous post, since I was not sure I could adequately explain it in words. The demo has two examples; one is for an XSS that can be successful after some user interaction, and another is to show the incapability of executing reflected attack.
The demo page is here.

Thursday, March 3, 2011

Submarined XSS

It is not a new attack vector but I haven't found a proper word for describing this attack so far.

The attack I describe here is an XSS in which an attack code is properly sanitized before being contained in the immediate response and is not stored by the server, so the attack won't be carried out at this step yet. However, the attack does harm as a result of the appearance of the already-sanitized attack code (not being sanitized this time, this is the cause of the vulnerability by the way) after a victim visits several pages in the same website. In this website, the session manager prohibits visitors from directly accessing the target webpage the attak code does harm, the attack can be successful only when the victim clicks on the link the attacker prepared and is required to browse some pages in the website to activate the attack code before a session expires.

This attack is not a reflected type of attack since the attack code is properly sanitized in the immediate response. In addition, since the attack code is not stored by the server, this attack does not do harm as a stored type of attack does to any visitors to the target webpage the attack code appears.