Cenzic 232 Patent
Paid Advertising
web application security lab

Cross Site Scripting Talk at Blackhat

There is an interesting link on Darkreading talking about Jeremiah Grossman’s upcoming talk at Blackhat. It looks like he is spilling a little bit of the beans so that people understand what the talk is about and why it is important to attend. So yes, this is something that I’ve been thinking about for a long time. How can you use cross site scripting to attack networked devices, instead of just attacking a stand alone user. Well, after he and I discussed it, he went off and built a working prototype off of the original idea.

The original idea was simply to brute force a password on a firewall or routing device that used a web based administration interface. The problem is that a huge percentage of those use basic type authentication, rather than a web form. Modern browsers all pop up a dialogue, and to my knowledge there is no way to suppress that (if anyone knows of a way I’d be very interested to hear it). Jeremiah took that idea and ran with it, attacking all sorts of other network appliances. I’ll abstain from going into more details until after his talk is over because I think it’s better to see it than have me explain it. But I would recommend you be there if you are at all interested in intranet security.

3 Responses to “Cross Site Scripting Talk at Blackhat”

  1. WhiteAcid Says:

    I’m not exactly sure how you’re planning to load the firewall/router config panel. My first thought was if you could create an image tag and get the response Status header. Loading something like:
    <img src=”http://test:pass@192.168.0.1/” /> does not ask for a username/password even if the details are wrong. Also neither IE nor FF asked the user if they were sure they wanted to use those details, which they do if you type the details into the address bar.

  2. WhiteAcid Says:

    Uhm… never mind me. If the password is wrong it does ask the user again. The only thing I can think of is filtering the request through some place that removes 403 status messages. But of course routing it through some place defeats the point of them doing the attacking themselves.

  3. RSnake Says:

    Haha… having a senior moment, WhiteAcid? It’s okay, it happens to the best of us. ;)

    Guessing a common password might work if you guess something that will work 30% of the time or something (seems like bad odds, but could be devestating if you consider 1MM users got exploited via the MySpace cross site scripting worm). No matter how you slice it, it’s not good. Jeremiah will show the nitty gritty of all the other problems that this will cause. Honestly, this is just the tip of the iceburg.