Thursday, March 3, 2011

Submarined XSS

It is not a new attack vector but I haven't found a proper word for describing this attack so far.

The attack I describe here is an XSS in which an attack code is properly sanitized before being contained in the immediate response and is not stored by the server, so the attack won't be carried out at this step yet. However, the attack does harm as a result of the appearance of the already-sanitized attack code (not being sanitized this time, this is the cause of the vulnerability by the way) after a victim visits several pages in the same website. In this website, the session manager prohibits visitors from directly accessing the target webpage the attak code does harm, the attack can be successful only when the victim clicks on the link the attacker prepared and is required to browse some pages in the website to activate the attack code before a session expires.

This attack is not a reflected type of attack since the attack code is properly sanitized in the immediate response. In addition, since the attack code is not stored by the server, this attack does not do harm as a stored type of attack does to any visitors to the target webpage the attack code appears.