[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5e01c29a0608152108h35d99042we915d0bc2b4cc354@mail.gmail.com>
Date: Wed, 16 Aug 2006 14:08:15 +1000
From: mikeiscool <michaelslists@...il.com>
To: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk, pen-test@...urityfocus.com,
webappsec@...urityfocus.com, bugtraq@...urityfocus.com
Subject: Re: JavaScript Lazy Authorization Forcer and Visited Link Scaner
i discovered this first!
well, maybe. but the site where i talked about it is now gone :)
anyway, it really doesn't need to be so complicated with creating a
new 'style' section; just use the a:visited selector.
<style>
a { margin-left: 1px; }
a:visited { margin-left: 2px; }
</style>
then check for the margin.
---
i wonder how easy it would be to code up a POC that checks for a gmail
session, then iframes it's way there, and then, assuming it logs in
[because of prior active session], starts an email spamming all your
contacts gmail has 'helpfully' saved.
i'm sure it'd be pretty successful,
-- mic
On 8/16/06, pdp (architect) <pdp.gnucitizen@...glemail.com> wrote:
> Lazy Authorization Forcer
> http://www.gnucitizen.org/projects/javascript-authorization-forcer/
>
> This is an idea I am still developing but here you go POC is available
> and it works. The malicious JavaScript presented here will try to
> guess URLs that contain credentials. It is sort of Basic
> Authentication/FTP Authentication bruteforcer.
>
> The POC works well in IE6, IE7, Firefox and Opera. I wasn't able to
> suppress the Basic Authentication dialog when trying to create Basic
> Authentication Bruteforcer. However, I came up with this lazyForce
> implementation. A typical attack vector will be as the following:
>
> 1. The attacker discovers your internal IP
> 2. Based on your IP a class C range is enumerated using the Port
> Scanning or Visited Link Scanning technique.
> 3. Once a target is discovered a large enough dictionary is used to
> find valid credentials associated with each IP.
>
> In order to make IE work a style sheet that is embeded inside the
> current document needs to be reused. Read the provided source code for
> more information.
>
> Visited Link Scanner
> http://www.gnucitizen.org/projects/javascript-visited-link-scanner/
>
> This is a technique that I've learned from Jeremiah Grossman
> (http://jeremiahgrossman.blogspot.com/) and his presentation on
> JavaScript malware. Please, keep all the credits for this finding to
> Jeremiah.
>
> http://www.gnucitizen.org/projects/javascript-visited-link-scanner/visitedlinkscanner.js
> The POC presented here is my improved version of the POC presented in
> BlackHat. I made it work well in IE6, IE7, Firefox and Opera. IE6 has
> very nasty disabilities when dealing with dynamically generated style
> sheets. However, these can be easy sorted out by reusing the current
> style sheet. If you are interested how it works just read the provided
> source code.
>
> Well, this is it.
>
> --
> pdp (architect)
> http://www.gnucitizen.org
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------
>
>
Powered by blists - more mailing lists