lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Apr 2015 21:34:54 +0900 From: Takeshi Terada <mbsdtest01@...il.com> To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org Subject: [FD] whitepaper: Identifier based XSSI attacks Hello list members, We released a new technical whitepaper titled: "Identifier based XSSI attacks" CVE numbers: CVE-2014-6345, CVE-2014-7939 URL: http://www.mbsd.jp/Whitepaper/xssi.pdf Introduction: ------------------------------- Cross Site Script Inclusion (XSSI) is an attack technique (or a vulnerability) that enables attackers to steal data of certain types across origin boundaries, by including target data using SCRIPT tag in an attacker's Web page as below: <!-- attacker's page loads external data with SCRIPT tag --> <SCRIPT src="http://target.example.jp/secret"></SCRIPT> For years, XSSI has been known among Web security researchers that JavaScript file, JSONP and, in certain old browsers, JSON data are subject to this type of information theft attacks. In addition, some browser vulnerabilities, that allow attackers to gain information via JavaScript error messages, have been discovered and fixed in the past. In 2014, we conducted research on this old topic and discovered some new attack techniques and browser vulnerabilities that allow attackers to steal simple text strings such as CSV, and more complex data under certain circumstances. In the research, we mainly focused on a method of stealing data as a client side script's identifier (variable or function name). In this paper, we first describe these attack techniques / browser vulnerabilities in the next section and then discuss countermeasures for these issues. ------------------------------- Other white papers released last year are available here: http://www.mbsd.jp/insight.html - Attacking Android browsers via intent scheme URLs http://www.mbsd.jp/Whitepaper/IntentScheme.pdf - FilterExpression Injection attacks against ASP.NET applications http://www.mbsd.jp/Whitepaper/FilterExpression.pdf -- Takeshi Terada @ Mitsui Bussan Secure Directions, Inc. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists