Moritz Naumann Just published a cross site scripting vulnerability in WebScarab today. The details are pretty obvious, and I’m surprised it took this long to find it (I don’t personally use WebScarab as Burp Proxy is far more useful in my opinion (even though I do have to have Java installed which can be a pain if I’m in a pinch).

But this is an interesting trend I picked up on last year at DefCon. There were a handful of talks about how you could exploit one security service or another and get access to some device. I have mixed feelings about that. Yes, security people should code secure systems. But are security products ubiquitous enough to make for a valid attack vector? I mean how many people do you see roaming around with WebScarab installed and running? If I were to put that exploit on this page, I’d probably have one of the highest hit ratios for that vulnerability working, given the users who visit it. I bet you it’s still less than .1% of users who visit this site are actively using WebScarab while they read this blog too.

So perhaps that’s not worth mentioning. Another common security XSS vulnerability I’ve seen is where the admin must input the XSS himself and then another admin can be hit by it. Sure, there is some grey area here, where I could see a rogue admin who knows he’s going to get fired who wants to keep access to the machines, but that’s one of a thousand ways to do that as an insider. So maybe that’s not particularly valid either. But what about things like breaking into IDS boxes and gaining access to poorly set up networks? Sure, there I can see that being a valid exploit. Taking it further, what about getting remote access to machines running an anti-virus product? Well since a huge percentage of users have it installed these days, I’d say that qualifies as a valid attack vector that needs to be dealt with.

I guess my point is, most of these exploits in security systems are interesting in academia only, not as a valid attack vector. Although I think what Moritz found is impressive, it would be very difficult to exploit efficiently - although one could argue the people who have it installed are harder to exploit than most people, so perhaps it is somehow worth more to target them directly. IE: someone who has WebScarab installed probably has access to a number of other sites that would make him a valuable target to penetrate. Interesting theory anyway.

This entry was posted on Wednesday, July 19th, 2006 at 9:45 am and is filed under XSS, Webappsec. You can leave a response as well.