Operation n

Some cross-site scripting (xss) attacks only occur when you are logged in. Now one corporate web content management system that I was testing, did not appear to have any significant vulnerabilities listed on any of the main security sites. So I was a bit surprised to find a XSS issue in accessing the profile of an uploaded file.

Now this got me thinking. As this is a corporate application and you need to be authenticated to see it, the general hacker will arguably not able to see it (unless they are familiar with the application or have tested it) and hence no listing on the main security vulnerability sites. However the problem is if a vulnerable hyperlink can be sent to someone, after they log in, they may encounter the XSS (if the login just redirects the user with no filtering).

Also another concern is making an Intranet web application, available to the Internet. Naturally, there would be some form of accounting an authentication. But more than likely, there would some security issues relating to the web application (well my experience would suggest that they are some issues than don’t get covered in a more ‘relaxed’ Intranet web application) that would make it vulnerable. Of course there is the network infrastructure to think about as well, using DMZ and encrypted security protocols. So in general, companies should tread carefully when making the transistion and call in a mr pentester… heh!