XSS, no really

XSS tends to get the eyeroll treatment from security pros since

a) it’s everywhere. 2 min of looking for an example on the GOP website, and tada:

http://www.gopstore.com/cgi-bin/rnc/scan/st=db/co=yes/sf=prod_group/se=stick%3Cimg%20src=0%20onerror=%22alert%281%29%22%20%3Eer/op=eq/tf=description/ml=12/sp=1stickers.html

b) your 8-year-old kid can find it after about 2 minutes of instruction

c) it doesn’t give you a shell (directly)

But it still works. And it owned apache. http://www.theregister.co.uk/2010/04/13/apache_website_breach_postmortem/ First step to root, and pretty big impact at that. If a target of mine had a sufficiently capable web site, I would prefer XSS over another exploit because it works on any OS, and usually any browser. It doesn’t matter what privilege dropping capabilities the Chrome sandbox uses. It’s reliability isn’t going to change on random ASLR and OS settings. It isn’t going to crash the browser if it fails. Which it won’t. Patch Tuesday isn’t going to fix it either.

Remember your goals, and choose the best exploits for the job.

Advertisements

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: