Five year old XSS bug still exploitable

Sandro Gauci of EnableSecurity has released an update of his 2002 paper describing a cross-site scripting attack that makes use of non-HTTP protocols.

Advertisement

Gauci found that if a crafted page sends a form containing JavaScript to a legitimate non-HTTP server that echoes back the form content, the JavaScript executes in the security context of the legitimate domain. His update discloses that five years on most web browsers still do not block non-HTTP ports exhaustively enough to prevent this attack.

Gauci has tested the following browsers

• Internet Explorer 6
• Internet Explorer 7
• Internet Explorer 8 (beta 1)
• Opera 9.27
• Opera 9.50
• Safari 1.32
• Safari 3.1.1

all of which are apparently still vulnerable to varying extent. Of course, the browsers are not the sole contributors to the hazard. No service should be echoing back unsanitised user input.

(mba)