XSS sample using Zone Alarm link

flinchlock · May 24, 2007

As "normal ZA user", I am pretty freakout about XSS!

I am following the advice per https://www.wilderssecurity.com/showpost.php?p=1002678&postcount=38

Recap:

* Using Noscript gives protection from XSS type 1 and, to a certain extent, from XSS type 2.
This protection tends to zero if you whitelist everything, and tends to infinite if you don't whitelist anything.
* When in doubt, and the site seems to already work fine or the content doesn't appear that valuable, don't whitelist.
When in doubt, the content is really valuable and it requires JavaScript (it doesn't work at all otherwise), just "temporary allow".
* The only reason to drop your doubts is the site owner's reputation being such precious that he would refund any amount for damages you may receive from a XSS (which is your problem, but his fault by definition).
You really don't need JavaScript to take your slashdot fix, read a blog or watch some porn
Click to expand...

I am following the advice per https://www.wilderssecurity.com/showpost.php?p=1002745&postcount=41

But yes, Firekeeper for the known plus NoScript for the unknown sounds like a tough combo
Click to expand...

I am following the advice per https://www.wilderssecurity.com/showpost.php?p=1010441&postcount=49

Of the many exploitation scenarios, I will list just 3 because I'm lazy today:

1. Social engineering: the fact it works is demonstrated by this very topic, where many people followed my link even if it was not particularly crafted to be believable (it was quite suspect, indeed)
2. Spoofed email, just like in any phishing scheme but with the distinctive advantage that the link is actually a real ZoneAlarm URL to a real (not spoofed!) ZoneAlarm page: the JavaScript part I left "in clear" for didactic purposes can be effectively and easily obfuscated, but anyway all the adverted humans and the automatic security scanners (e.g. antiphishing toolbars) are trained to look in the URL is its domain.
3. Last but not least, if just one precondition among "automatic completion enabled", "user already logged in" or "persistent authentication cookie (AKA Remember me)" is met, the victim doesn't even need to interact with the injected page or follow any link, as all the action can happen silently inside an invisible iframe (embedded either in a porn site, in a bible blog, in a MySpace page -- very very easy!!! -- or in an incoming HTML email message)
Click to expand...

NO "automatic completion enabled", "user already logged in" or "persistent authentication cookie (AKA Remember me)"

I have a request, every once in a while, can you guys please post a "Recap"?

(My current setup is in my signature.)

Mike

fax · Jun 27, 2007

Re: [Split Topic] XSS sample using ZA link

elio said:

Just noticing [the vulnerability is still there, nice and exploitable[/url], 2 weeks after my original post.
Looks like Zone Alarm people can't read their own logs
Click to expand...

Uuuhm, looks like the log-in system has changed and your exploit does not work anymore...

Or I am missing something?

Cheers,
Fax

elio · Jul 11, 2007

Re: [Split Topic] XSS sample using ZA link

fax said:

Uuuhm, looks like the log-in system has changed and your exploit does not work anymore...
Click to expand...

They fixed it when this topic has been linked by NoScript's author in a slashdot post, and this PoC had been here for more than one month

BTW, the same kind of vulnerability is still available on their site (in another, even more visible page) and can be exploited exactly in the same manner.
But I won't post any link, as promised to forum admins...

fax · Jul 12, 2007

Re: [Split Topic] XSS sample using ZA link

elio said:

They fixed it when this topic has been linked by NoScript's author in a slashdot post, and this PoC had been here for more than one month

BTW, the same kind of vulnerability is still available on their site (in another, even more visible page) and can be exploited exactly in the same manner.
But I won't post any link, as promised to forum admins...
Click to expand...

As usual you should inform them and send the vulnerable link...

Cheers,
Fax

Log in or Sign up

XSS sample using Zone Alarm link

flinchlock Registered Member

fax Registered Member

elio Registered Member

fax Registered Member

Log in or Sign up

XSS sample using Zone Alarm link

flinchlock Registered Member

fax Registered Member

elio Registered Member

fax Registered Member

Useful Searches