Wednesday, April 07, 2010

Introducing Meta-Information XSS

A few months back I was playing around with DNS text records and started thinking about what I could include in them. Given that so much of my time is spent with web application security, my first attempt was a simple XSS. Then I just needed a web page to display the information, I started looking at websites that allow you to perform DNS resolution and websites that verify SPF filters. None of these websites filtered the data. This lead me to start looking at other types of meta-information (or metadata) we access, manipulate and view on a daily basis but never really consider as potentially harmful. Other places that came up included: Whois data, SSL Certificate info, and Server Banners (SMTP/HTTP). I'm sure there are others but these are the ones I looked at.

As I was looking into contacting the various websites, I started thinking about how you could classify this type of XSS. While data has to be provided in some of the requests, you aren't providing the attack, so it's not really reflected. At the same time nothing is stored on the server to be displayed to future users (at least nothing malicious), so it's not really persistent. It's also definitely not DOM based. That lead to the conclusion that this needed a new classification and I decided to go with Meta-Information Cross Site Scripting or miXSS (pronounced my-XSS).

To download whitepaper and presentation:
http://blog.ncircle.com/blogs/vert/archives/2010/04/introducing_metainformation_xs.html

No comments: