lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 14 Apr 2015 21:34:54 +0900
From: Takeshi Terada <>
Subject: whitepaper: Identifier based XSSI attacks

Hello list members,

We released a new technical whitepaper titled:
"Identifier based XSSI attacks"

CVE numbers:
CVE-2014-6345, CVE-2014-7939


Cross Site Script Inclusion (XSSI) is an attack technique (or a
vulnerability) that enables attackers to steal data of certain types
across origin boundaries, by including target data using SCRIPT tag in
an attacker's Web page as below:

<!-- attacker's page loads external data with SCRIPT tag -->
<SCRIPT src=""></SCRIPT>

For years, XSSI has been known among Web security researchers that
JavaScript file, JSONP and, in certain old browsers, JSON data are
subject to this type of information theft attacks. In addition, some
browser vulnerabilities, that allow attackers to gain information via
JavaScript error messages, have been discovered and fixed in the past.

In 2014, we conducted research on this old topic and discovered some
new attack techniques and browser vulnerabilities that allow attackers
to steal simple text strings such as CSV, and more complex data under
certain circumstances. In the research, we mainly focused on a method
of stealing data as a client side script's identifier (variable or
function name).

In this paper, we first describe these attack techniques / browser
vulnerabilities in the next section and then discuss countermeasures
for these issues.

Other white papers released last year are available here:

- Attacking Android browsers via intent scheme URLs

- FilterExpression Injection attacks against ASP.NET applications

Takeshi Terada @ Mitsui Bussan Secure Directions, Inc.

Powered by blists - more mailing lists