I got an interesting email today that I thought was worth exploring. One thing I haven’t really explained in much detail is exactly what can be done with XSS. Sure, there are obvious implications, like cookie theft, and defacement/phishing, but what about some other web application security issues? Here’s the email:
is there any other possible application of xss vulnerability, other than showing html text on affected page, that will be visible only on that page and have not change any server files? (or stealing cookies) Can the XSS change/delete pages, add pages, browse admin directories?
If the application itself has the ability to change files, sure, XSS combined with CSRF can do anything that user has access to. I actually responded to an almost completely unrelated issue the other day that got my brain thinking on other issues. Recently someone asked if IP based security had any issues. Here was my email:
Hi, Darryl, this is really more of a network security question than an application security question, but let me take a stab at it. It is possible, although very unlikely that they can spoof an IP packet to run some command on the server. They would be doing so blind though as they wouldn’t see the responses. There is a fairly good article here: http://www.cosc.brocku.ca/~cspress/HelloWorld/1999/03-mar/spoofing.html
This really isn’t super practical on a lot of modern systems because they do a better job of reducing the predictability of the ISN to create the fake three way connection. Also, if the server is under any sort of load it makes it more difficult. Also, the attacker would have to know exactly what to craft to make that happen (so unless it’s open source, that simple fact alone will make exploitation much more difficult).
So yes, theoretically it’s a bad idea, in practice it’s pretty difficult to exploit from a black box perspective. Beware people on your local LAN though, they’ll have a much easier time exploiting than an outsider would as they have visibility into packets in both directions if they are sniffing the network.
So after completely blowing this out of the web app sec world and into the network security world I realized I am missing a fairly major issue which is CSRF via XSS. Because IP based rules rely on one thing (the IP address in question performing the task in question) all it requires is that you get the IP address to perform an action for you.
So let’s say you have an web application with a rule built in to not perform a function based entirely on an IP address validation. Let’s say I can get a user from the same IP address (in the case of a company or small company behind a NAT) to view a webpage under my control. At that point the victim user should connect to the function and perform the action on my behalf.