Solved

Could an XSS attack be mounted using Firebug?

Posted on 2010-09-21
6
1,899 Views
Last Modified: 2012-05-10
This may be in the "dumb questions category." But I was wondering if it would be possible to use Firebug to create an XSS attack. It seems to be possible but only in the trivial case of disclosing the attackers information only.

But I was wondering if anyone could see a way to make a non-trivial attack. And how would one defend against such?

Any ideas?
0
Comment
Question by:jasimon9
6 Comments
 
LVL 11

Expert Comment

by:ProfessorBindokas
ID: 33732371
Hi

Main defenses against cross site scripting are:
1.validation checks in the code framework, e.g., Microsoft's ASP.NET has a nice suite of built-in validation checks that can be used to defend against XSS issues.  J2EE has safeguards as well;
2. the use of a web application firewall "in front" of your application to prevent execution calls to "foreign" websites for script execution (caveat, ensuring that ALL traffic goes through the web application firewall and no send-arounds are possible).

An example of a non-trivial attack would be hijacking of account credentials, which are stored in the form of a SessionID on a cookie and the use of that cookie to impersonate the user on another system.  Another example is use of a XSS vulnerability to modify the information a user is posting to a website, which can be non-trivial if the post information is mission critical or financial in nature.
0
 

Author Comment

by:jasimon9
ID: 33736621
You have defined XSS. But you have not addressed my question about Firebug as a means of attacking at all.
0
 
LVL 4

Expert Comment

by:rajivvishwa
ID: 33737358
Firebug is nothing but an enhanced HTTP Request-Response parser. To perform XSS attacks, firebug needs automation capabilities to send request in a particular format and validate the response for XSS pattern. For that you have different Firefox addons like XSS Me (https://addons.mozilla.org/en-US/firefox/addon/7598).

To be frank even I was thinking in the same lines i.e to extend firebug to make it work like a security scanner.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 33759664
Firebug intercept "execution code" of Firefox browser. It is more of client proxy web code debugger. It does not directly tamper with the web traffic but more of able to set breakpoint of each web call as you browse through the website using firefox. We may change parameter in the code for testing purpose or even tamper that instance of code. It is is just reflected at that instance not at client.

The key is XSS will only occur if real website has such vulnerability. in other word, if website has XSS flaw, firebug can single step through and identify that active javascript to be executed. You may change the script content but having a browser proxy like burp or paros can do more to tamper the web traffic (recv and send out).

in summary, I will say that firebug can help to discover XSS (esp DOM based) instead of directly injecting XSS for persistent Check out this short example on DOM based XSS

@ http://www.net-security.org/dl/articles/Blueinfy-JavaScript-Hacking.pdf  
0
 

Author Comment

by:jasimon9
ID: 33762532
You are getting close to the exact nature of my question.

I am essentially wondering if Firebug could be used to create a vulnerability on a page where no vulnerability previously exists. You are saying that this cannot happen, and that there would already have to be a vulnerability to exploit.

If that is in fact what you are saying, then I am thinking my question is answered.

The further point about using Firebug to discover vulnerabilities is also interesting, but is really outside the scope of my question.
0
 
LVL 61

Expert Comment

by:btan
ID: 33763150
I will say Firebug is good as an DOM inspector or JavaScript interpreter. It can to extend inject attack into the website for testing purpose but that is also just validating that the website is vulnerable and not made vulnerable. If interested more, can check out
@ http://www.tekbar.net/hackers-and-security/proficient-in-javascript-attacked-the-framework.html

Hope it helps
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This article demonstrates how to create a simple responsive confirmation dialog with Ok and Cancel buttons using HTML, CSS, jQuery and Promises
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now