XSS sample using Zone Alarm link

[flinchlock]

As "normal ZA user", I am pretty freakout about XSS!

I am following the advice per http://www.wilderssecurity.com/showp...8&postcount=38

Quote:

Recap:

* Using Noscript gives protection from XSS type 1 and, to a certain extent, from XSS type 2.
This protection tends to zero if you whitelist everything, and tends to infinite if you don't whitelist anything.
* When in doubt, and the site seems to already work fine or the content doesn't appear that valuable, don't whitelist.
When in doubt, the content is really valuable and it requires JavaScript (it doesn't work at all otherwise), just "temporary allow".
* The only reason to drop your doubts is the site owner's reputation being such precious that he would refund any amount for damages you may receive from a XSS (which is your problem, but his fault by definition).
You really don't need JavaScript to take your slashdot fix, read a blog or watch some porn

I am following the advice per http://www.wilderssecurity.com/showp...5&postcount=41

Quote:

But yes, Firekeeper for the known plus NoScript for the unknown sounds like a tough combo

I am following the advice per http://www.wilderssecurity.com/showp...1&postcount=49

Quote:

Of the many exploitation scenarios, I will list just 3 because I'm lazy today:

1. Social engineering: the fact it works is demonstrated by this very topic, where many people followed my link even if it was not particularly crafted to be believable (it was quite suspect, indeed)
2. Spoofed email, just like in any phishing scheme but with the distinctive advantage that the link is actually a real ZoneAlarm URL to a real (not spoofed!) ZoneAlarm page: the JavaScript part I left "in clear" for didactic purposes can be effectively and easily obfuscated, but anyway all the adverted humans and the automatic security scanners (e.g. antiphishing toolbars) are trained to look in the URL is its domain.
3. Last but not least, if just one precondition among "automatic completion enabled", "user already logged in" or "persistent authentication cookie (AKA Remember me)" is met, the victim doesn't even need to interact with the injected page or follow any link, as all the action can happen silently inside an invisible iframe (embedded either in a porn site, in a bible blog, in a MySpace page -- very very easy!!! -- or in an incoming HTML email message)

NO "automatic completion enabled", "user already logged in" or "persistent authentication cookie (AKA Remember me)"

I have a request, every once in a while, can you guys please post a "Recap"?

(My current setup is in my signature.)

Mike

[fax]

Quote:

Originally Posted by elio

Just noticing [the vulnerability is still there, nice and exploitable[/url], 2 weeks after my original post.
Looks like Zone Alarm people can't read their own logs

Uuuhm, looks like the log-in system has changed and your exploit does not work anymore...

Or I am missing something?

Cheers,
Fax

[elio]

Quote:

Originally Posted by fax

Uuuhm, looks like the log-in system has changed and your exploit does not work anymore...

They fixed it when this topic has been linked by NoScript's author in a slashdot post, and this PoC had been here for more than one month

BTW, the same kind of vulnerability is still available on their site (in another, even more visible page) and can be exploited exactly in the same manner.
But I won't post any link, as promised to forum admins...

[fax]

Quote:

Originally Posted by elio

They fixed it when this topic has been linked by NoScript's author in a slashdot post, and this PoC had been here for more than one month

BTW, the same kind of vulnerability is still available on their site (in another, even more visible page) and can be exploited exactly in the same manner.
But I won't post any link, as promised to forum admins...

As usual you should inform them and send the vulnerable link...

Cheers,
Fax