full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] WebScarab <= 200606

Re: [Full-disclosure] WebScarab <= 20060621-0003 cross site scripting

From: Rogan Dawes <discard_at_nospam>
Date: Fri May 04 2007 - 22:36:25 GMT
To: security@moritz-naumann.com, Full Disclosure <full-disclosure@lists.grok.org.uk>, bugtraq@securityfocus.com, moderators@osvdb.org


security@moritz-naumann.com wrote (a LONG time ago):
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> SA0012
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> +++++ WebScarab Cross Site Scripting +++++
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
> PUBLISHED ON
> Jul 18, 2006
>
>
> PUBLISHED AT
> http://moritz-naumann.com/adv/0012/webscarabxss/0012.txt
> http://moritz-naumann.com/adv/0012/webscarabxss/0012.txt.gpg
>
>
> PUBLISHED BY
> Moritz Naumann IT Consulting & Services
> Hamburg, Germany
> http://moritz-naumann.com/
>
> SECURITY at MORITZ hyphon NAUMANN d0t COM
> GPG key: http://moritz-naumann.com/keys/0x277F060C.asc
>
>
> AFFECTED APPLICATION OR SERVICE
> WebScarab
> http://www.owasp.org/index.php/OWASP_WebScarab_Project
> http://sourceforge.net/projects/owasp/
>
> WebScarab is a Free Software for manual and semi-automatic
> web application penetration testing. It is developed in
> Java by Rogan Dawes as part of the Open Web Application
> Security Project (OWASP).
>
>
> AFFECTED VERSIONS
> Version 20060621-0003 and below
>
>
> ISSUES
> WebScarab is subject to a client side script code injection
> vulnerability which may allows for running cross site
> scripting attacks against web clients connecting through it.
>
> +++++ 1. Cross Site Scripting vulnerability in error
> messages
>
> By accessing the following URI using a web browser which is
> prone to this issue and configured to proxy through a
> vulnerable version of WebScarab, a non-persitent web script
> injection can be achieved:
>
> http://arbitrary.domain/</pre><script>alert(0);</script>
>
> This allows for disclosure of sensitive data stored in the
> security context of any arbitrary domain which the web browser
> has previously accessed but WebScarab is not able to access
> by the time the attack takes place (due to invalid upstream
> proxy setting on WebScarab, different results of DNS queries,
> limited connectivity or other reasons).
>
> Ms Internet Explorer 6 SP2 and Konqueror 3.5.3 are known to
> be prone to this issue. This problem is caused by insufficient
> santitation of user supplied input before it is returned to
> the client as part of an error message.
>
>
> BACKGROUND
> Cross Site Scripting (XSS):
> Cross Site Scripting, also known as XSS or CSS, describes
> the injection of malicious content into output produced
> by a web application. A common attack vector is the
> inclusion of arbitrary client side script code into the
> applications' output. Failure to completely sanitize user
> input from malicious content can cause a web application
> to be vulnerable to Cross Site Scripting.
>
> http://en.wikipedia.org/wiki/XSS
> http://www.cgisecurity.net/articles/xss-faq.shtml
>
>
> WORKAROUNDS
> Client: Disable Javascript.
> Server: None known.
>
>
> SOLUTIONS
> Rogan Dawes has released version 20060718-1904 today.
> This version fixes this issue. The updated packages is
> available at
>
> http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823
>
>
> TIMELINE
> Jul 18, 2006: Discovery, code maintainer notification
> Jul 18, 2006: Code maintainer provides fix
> Jul 18, 2006: Public advisory
>
>
> REFERENCES
> N/A
>
>
> ADDITIONAL CREDIT
> N/A
>
>
> LICENSE
> Creative Commons Attribution-ShareAlike License Germany
> http://creativecommons.org/licenses/by-sa/2.0/de/

Due to a complete lack of actual testing, the abovementioned "fix" for this problem didn't actually do anything. Thanks to Nathaniel Roberts for pointing this out, even almost a year later.

A new release of WebScarab has been published that does actually fix this. It can be obtained from
<https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823>

The full changelog since the previous version is available at <https://sourceforge.net/project/shownotes.php?release_id=506001&group_id=64424>

Regards,

Rogan Dawes



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/