[Owasp-testing] Cross Site Function Abuse

gsiere at comcast.net gsiere at comcast.net
Mon Jun 9 20:23:59 EDT 2008

...or whatever you want to call it.

Works fine - at least with stored/persistent XSS so far.  I'll play with it some more tomorrow.

The key is that you ahve to exploit a page which is already importing the .js file.  So when you create content via XSS on that page, you can access the functions in the .js file.   

So insead of having to inject all the JavaScript code and use script tags, you simply call SomeObscureFunction('malicious_input') in, for instance a link or something.

There may be actually be a way to dynamically load the the .js file onto the page via the XSS itself - stay tuned.

Anyway, Neat.  I'm with Dave, I think it should at least be mentioned as a technique to bypass filtering somewhere, maybe with an example. 


-------------- Original message -------------- 
From: "Dave van Stein" <dvstein at gmail.com> 
ehmm ... I'd vote for Cross site function stealing ...

2008/6/9 <gsiere at comcast.net>:

I like it!  Just...what do you call this?? 

Cross Site Script Abuse?
Cross Site Function Stealing?
Cross Site Script Overloading?


-------------- Original message -------------- 
From: "Dave van Stein" <dvstein at gmail.com> 

Talking about new thing/ways to test .. Did anybody see this blog:

It's about using existing, available .js or other resource for generating XSS and thus bypassing 'script filtering' and other blacklisting methods ...

Very interesting and also something to at least mention in the manual ?


2008/6/9 <gsiere at comcast.net>:


Ref HTTP Method Section 4.3.8

Has anyone seen HTTP "TRACK" method enabled when "TRACE" was not?  Would it make sense to test for "TRACK" separately?  From what I've seen, TRACK behaves pretty much like TRACE - so you should be able to get an XST attack from it -  but I've only seen both or none.  I guess it might be a way to circumvent an ACL or filter if TRACE is prohibited?

Also, how about all the WEBDAV methods like LOCK, COPY, MOVE, etc?  http://www.webdav.org/specs/rfc2518.html#rfc.section.4.4

Is there a single method you can check to see if WEBDAV is enabled at all (like maybe PROPFIND)? (assuming something like OPTIONS doesn't already tell you)?  I havn't seen this too often, and was going to research this a little but thought someone might already have some insight.


---------- Doorgestuurd bericht ----------
From: "Dave van Stein" <dvstein at gmail.com>
To: owasp-testing <owasp-testing at lists.owasp.org>
Date: Mon, 9 Jun 2008 12:33:25 +0000
Subject: Re: [Owasp-testing] HTTP TRACK and WEBDAV
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20080610/4e137fcf/attachment.html 

More information about the Owasp-testing mailing list