lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <D791DEE5-088B-46CE-BB2C-929392E30F2F@gmail.com> Date: Wed, 2 Mar 2011 11:38:07 -0800 From: Andrew Farmer <andfarm@...il.com> To: Nathan Power <np@...uritypentest.com> Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: Facebook URL Redirect Vulnerability On 2011-03-02, at 06:30, Nathan Power wrote: > There are 3 different steps to perform an attack using a URL redirect: 1) > trick the user 2) redirect 3) exploit .. We are using a Facebook URL to > trick the user, we are using the URL redirect as the catalyst to perform an > exploit. > > Here are some examples of the types of attacks you can perform with a URL > redirect, CSRF, phishing (fake fb login), and browser exploits (javascript > zombie,0days,etc). > > How would you have written the impact section? Something like this: > 3. Impact: > > An attacker may obfuscate the target of a link, potentiating phishing attacks and/or bypassing some simple URL filters. Or something of the sort. The actual target of the link isn't obscured in the URL, so it's not even particularly convincing if the URL is displayed in plain text. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists