lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1066666905.3f940b998a32a@webmail.student.uu.se>
From: Ulf.Harnhammar.9485 at student.uu.se (Härnhammar, Ulf)
Subject: Re: Advanced XSS paper and semi-new attack

That's an interesting paper! Some points I thought about while reading it:

* Many environments (PHP, Perl+CGI.pm) accept both POSTed and GETted data. At 
least in some circumstances, they just put it in a structure for incoming data 
without much regard for what HTTP method was used.

* Several HTML constructs (<img>, <frame>, <iframe>..) will make the web 
browser start fetching a URL as soon as the web browser sees it, without 
asking the user first. In environments where there is either an XSS problem or 
an HTML filter that allows these constructs, they can be used for either:

a) performing actions in a web application under other people's names. For 
example, <img src="password-change.php?new=client&amp;again=client">

b) using someone else as a proxy for cracking into some server. For example, 
<frame 
src="ftp://ftp.vulnerable.org/AAAAAAAAAAAAAAAAAAAAAbufferoverflowfromhellAAA">

* An additional difficulty is that web browsers accept redirects for images, 
so someone could include an image ostensibly pointing to a PNG image on their 
server but which immediately redirects to a mail sending script at your server.

* This evil redirect problem isn't just related to XSS and such things. It can 
also be used together with social engineering. If people see an interesting 
link and click it, they don't expect the link to redirect back to the web 
application that they're logged in to and do nasty things there, but it can 
happen.

(I'm not sure if this information was new or not, just some stuff I've had 
lying around in my notebooks for months without writing it up.)

-- 
Ulf H?rnhammar, student, Uppsala Universitet

"My ideas / often hit / platform six at London Bridge / took a train /
 thought of you / only until Waterloo"
-- Vic Twenty, "Kiss You"

P? spaning efter den webbransch som flytt
 http://home.student.uu.se/ulha9485/text/webbransch.html

kses - PHP HTML/XHTML filter
 http://sourceforge.net/projects/kses

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ