Page Two

By Jeremy Poteet  |  Posted 2002-12-02 Print this article Print

: Hackers Log"> However, when I chose a duplicate ID, it returned the duplicate ID in the user ID field along with an error message. When I saw the data returned to the screen, I tried using a script tag as the user ID. This proved to be successful.

I know the Oracle developers were aware that hidden form fields can be modified, but I believe this vulnerability was missed in their initial assessments because the screen can be used in multiple contexts.

To ensure a secure system, each scenario must be run through the logic to ensure that all cases are dealt with appropriately.

The second cross-site scripting bug I discovered was in the URL field on the "Product or Services" Web page. The field seemed to use the same field input validation routine as the rest of the application. However, the context in which this field was used, constructing a URL, was different from any other fields in the application.

I entered a normal URL and looked at the HTML source that was returned to see the specific syntax I needed to inject into. Because the same routine that was used for checking the large comment fields was being used to check the URL, characters such as ", =, (, ) and a space were all considered valid. Adding a JavaScript event to the anchor tag was a simple process and proved to be effective.

Although the technique I used to exploit this cross-site scripting vulnerability was different from the one I described earlier, the source problem was actually the same.

Reuse is an important concept in software development and can be very useful in a well-designed security model, but the developer must be careful not to allow reuse to expose security holes.

The same validation routine was used in all cases, even though the context in which the fields were being used was not consistent. This variation in field usage should have resulted in a corresponding variation in the field validation routines.

This reuse, combined with the fact that cross-site scripting can be accomplished in a variety of ways, allowed my successful attack.

Jeremy Poteet ( is chief technology officer at IT consultancy Technology Partners Inc., based in Chesterfield, Mo. Company information can be found at


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel