In association with heise online

19 June 2008, 10:11

Five year old XSS bug still exploitable

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Sandro Gauci of EnableSecurity has released an update of his 2002 paper describing a cross-site scripting attack that makes use of non-HTTP protocols.

Gauci found that if a crafted page sends a form containing JavaScript to a legitimate non-HTTP server that echoes back the form content, the JavaScript executes in the security context of the legitimate domain. His update discloses that five years on most web browsers still do not block non-HTTP ports exhaustively enough to prevent this attack.

Gauci has tested the following browsers

  • Internet Explorer 6
  • Internet Explorer 7
  • Internet Explorer 8 (beta 1)
  • Opera 9.27
  • Opera 9.50
  • Safari 1.32
  • Safari 3.1.1

all of which are apparently still vulnerable to varying extent. Of course, the browsers are not the sole contributors to the hazard. No service should be echoing back unsanitised user input.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit