Main Menu

Login



Support Virus.Org

Help support Virus.Org by donating.
Donating allows us to keep this site free and pay the running costs of all our services.
XSS Tunnelling Tool Released PDF Print E-mail
Written by Editor   
Wednesday, 11 July 2007 21:32
UK security company Portcullis Computer Security have published an attack technique and complementary tool that radically increases an attacker’s capability when exploiting cross-site scripting flaws. The paper released by Portcullis first discusses a previously known technique using 'xss-shell' concept to setup a XSS based back channel. An xss-shell is a server hosted script that is used to setup a bi-directional communication channel between a compromised browser and the attacker.

The paper then goes on to augment this area of research with developing a cross-site scripting tunnelling technique. Also released is a tool written in .NET that allows an attacker to run any tool that supports HTTP proxies over the channel created by the compromised session using the xss-shell.

This tool will make it very easy for a remote attacker to launch attacks against systems local to a compromised host, for instance this could be used by an attacker to attempt to compromise machines on corporate networks through a simple cross-site scripting flaw.

You can grab the paper here and the tool here.

Add this page to your favorite Social Bookmarking websites
Digg! Reddit! Del.icio.us! Google! Live! Facebook! Technorati! StumbleUpon! Yahoo!