Cross-protocol XSS with non-standard service ports

Question

He guys,

I just read this post about really nasty (and cool at the same time) ways to perform XSS. However, there is still something unclear to me.

I understand the full concept of the attack, however, I dont see how this can potentially be exploited. The "action" attribute inside the form must point to a ftp server (or any other server that reflects input), but this is never the case.

So unless you have another XSS hole to inject such a form this vulnerability cannot be exploited. My question is if my conclusion that it cannot be exploited is true, or that im missing something?

Answer 1

This is exploitable as follows.

• MrCrim wants to steal the login of someone that uses victim.net
• MrCrim notices that victim.net is running an ftp server on an unusual port
• MrCrim puts up a form on his own site, evil.com
• The form contains the "ftp commands" in the form elements and its post action is to victim.net
• MrCrim writes a JS script that steals document.cookie from a site and hosts that script in a .js file on evil.com. It probably works by including the cookie string as part of an image source URL that is requested from evil.com
• One of the "ftp commands" in MrCrim's form is constructed to write a small bit of JS that executes MrCrim's cookie-stealing script
• MrCrim tempts people to look at evil.com by posting links on forums and sending spam.
• UnsuspectingUser follows a link posted in his favourite forum and lands at evil.com. He posts the form, not knowing of its evil and wily intentions
• UnsuspectingUser is now on victim.net and Bam! the JS "injected" by the FTP server is executed and UnsuspectingUser's cookie for victim.net get's sent to evil.com
• Profit! :-)