Page Two

By Timothy Dyck  |  Posted 2002-10-25 Print this article Print

: Crack in OpenHack"> This vulnerability wouldnt get an attacker far, however, because the page properly detected that this string was an invalid user ID. Even if this check had failed, the application would have replaced angle brackets, quotes, parentheses and semicolons with spaces before the user input was saved in the database. One hour after reporting the first vulnerability, Poteet reported a second successful cross-site scripting attack. This one occurred in a separate area of the site, where logged-in users are asked to confirm various inputs entered on a previous page. One of these inputs is a URL.
Poteets second attack mode would be harder for site administrators to detect because it doesnt use any tags that tip it off as script code.
During his OpenHack crack, Poteet subverted the HTML control characters in the URL display code that turns the URL into a clickable link. He submitted the string a" onclick="javascript:alert(document.cookie); as his URL. When the code was placed between anchor tags that the application adds automatically, a clickable URL with an associated JavaScript block was created. In contrast to the first case, this input passes the applications first line of input checks and is considered a legal URL. However, when saved, another input sanitization routine swings into action and makes the URL script code non-functional by removing the two parentheses and semicolon from it. This second-layer defense restricts the attack to one particular verify page and to the logged-on user that submitted the bad URL in the first place. Poteet tried his cross-site scripting attacks against the functionally identical Microsoft test application, but both were blocked there. Oracle fixed both problems the same day they were confirmed. West Coast Technical Director Timothy Dyck can be reached at

Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel