Cross-site scripting using meta information - The Community's Center for Security


The central voice for Linux and Open Source security news

Welcome!

Sign up!

EnGarde Community

Polls

What is the most important Linux security technology?

	SELinux
	grsecurity
	CIS Benchmark
	Bastille Linux
	iptables
	LIDS

Advisories

Community

Linux Events

Linux User Groups

Link to Us

Security Center

Book Reviews

Security Dictionary

Security Tips

SELinux

White Papers

Featured Blogs

All About Linux

DanWalsh LiveJournal

Securitydistro

Latest Newsletters

Linux Security Week: May 14th, 2012

Linux Advisory Watch: May 10th, 2012

LinuxSecurity Newsletters

RSS Feeds

Get the LinuxSecurity news you want faster with RSS

Cross-site scripting using meta information

User Rating:

How can I rate this item?

Source: H Security - Posted by Alex

According to security expert Tyler Reguly of nCircle, data fields for storing meta-information offer plenty of latitude for future cross-site scripting (XSS) attacks. JavaScript embedded in Whois and DNS records and in SSL certificates, for instance, can, under certain circumstances, be executed in a browser. There are, for example, web services which carry out online checks on SSL certificates from other servers. As well as cryptographically relevant information, such services also display data on a certificate's owner and who it was issued by.

If a service fails to filter the query data correctly, the user's browser may execute JavaScript contained in the query. Attackers could exploit this to carry out various activities, such as copying login cookies or changing a user's profile settings (for their account for the web service). SSL Shopper is one service provider which was affected by this issue – and has now resolved the problem. According to Reguly, the whois service provided by WhatsMyIP.org was also affected by a 'meta information cross-site scripting' (MIXSS) vulnerability. It has also since corrected the problem.

Read this full article at H Security