lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 3 Jan 2010 23:50:29 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: "Andrew Farmer" <andfarm@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: MouseOverJacking attacks

Hello Andrew!

First of all, Happy New Year to you and to all participants of the list.

And about your letter.

> If you can inject arbitrary HTML into a web page,

When you are talking about arbitrary HTML, then it means possibility to
inject angle brackets and in my article I'm talking about hardest cases,
where using of angle brackets is not possible.

> there are plenty of ways (many of them easier or more flexible than this)
> you can get it to run Javascript

Yes, in other cases there can be used other XSS attack vectors. But I'm
talking about hardest cases, where only using of events of html objects are
possible. As I clearly wrote about it in my article. Here is a quote from
the article:

It's possible to intercept onMouseOver events in Cross-Site Scripting
vulnerabilities, when other vectors of XSS attacks are impossible at the
site. For example, in case of filtration at the server or using of WAF.

So in such rare cases, when you can only use events of html objects for
attack, you can use MouseOverJacking technique instead of common XSS attack,
to conduct this XSS attack automatically.

Also in my article I wrote that MouseOverJacking can be used for other
attacks (DoS, CSRF and others).

> None of this is considered particularly novel at this point.

All of attack vectors mentioned by you are known to me for a long time. It's
known XSS attack vectors. As I said, MouseOverJacking can be used in hard
cases (when other automated XSS attacks are not possible), to make
automation of such attack.

Besides, as I see from conversation with different people about
MouseOverJacking (including you), people didn't see the possibility of using
this attack technique not only in rare cases, but in more widespread cases
of XSS attacks. As I hinted about it in my article ;-). So at the end of
December I decided to make a new article with description of wider use of
MouseOverJacking for XSS attacks. And I'll write it soon.

P.S.

> - Embedded objects (say, Flash, using ExternalInterface)

Or Flash with getURL.

About XSS attack via Flash I have another article - XSS vulnerabilities in 8
millions flash files (http://websecurity.com.ua/3789/). Which you can read.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Andrew Farmer" <andfarm@...il.com>
To: "MustLive" <mustlive@...security.com.ua>
Cc: <full-disclosure@...ts.grok.org.uk>
Sent: Thursday, December 31, 2009 7:15 AM
Subject: Re: [Full-disclosure] MouseOverJacking attacks


On 29 Dec 2009, at 13:48, MustLive wrote:
> Recently, 26th of December 2009, I wrote the article MouseOverJacking
> attacks (http://websecurity.com.ua/3807/), and today I
> wrote English version of it (http://websecurity.com.ua/3814/).

Hardly news. If you can inject arbitrary HTML into a web page, there are
plenty of ways (many of them easier or more flexible than this) you can get
it to run Javascript:

- <script> tags, obviously

- Binding other events that'll trigger without an event, like onLoad

- CSS (either inline, in a <style>, or loaded from another site with <link
rel="stylesheet">) containing any of:

  * Background images loaded with the javascript: protocol
  * expression() (MSIE only?)
  * -moz-binding

- Embedded objects (say, Flash, using ExternalInterface)

None of this is considered particularly novel at this point.=

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists