[Full-Disclosure] Re: Advanced XSS paper and semi-new attack

From: Härnhammar, Ulf (Ulf.Harnhammar.9485_at_student.uu.se)
Date: 10/20/03

  • Next message: Sintelli SINTRAQ: "[Full-Disclosure] ByteHoard Directory Traversal Vulnerability"
    To: webappsec@securityfocus.com
    Date: Mon, 20 Oct 2003 18:21:45 +0200
    
    

    That's an interesting paper! Some points I thought about while reading it:

    * Many environments (PHP, Perl+CGI.pm) accept both POSTed and GETted data. At
    least in some circumstances, they just put it in a structure for incoming data
    without much regard for what HTTP method was used.

    * Several HTML constructs (<img>, <frame>, <iframe>..) will make the web
    browser start fetching a URL as soon as the web browser sees it, without
    asking the user first. In environments where there is either an XSS problem or
    an HTML filter that allows these constructs, they can be used for either:

    a) performing actions in a web application under other people's names. For
    example, <img src="password-change.php?new=client&amp;again=client">

    b) using someone else as a proxy for cracking into some server. For example,
    <frame
    src="ftp://ftp.vulnerable.org/AAAAAAAAAAAAAAAAAAAAAbufferoverflowfromhellAAA">

    * An additional difficulty is that web browsers accept redirects for images,
    so someone could include an image ostensibly pointing to a PNG image on their
    server but which immediately redirects to a mail sending script at your server.

    * This evil redirect problem isn't just related to XSS and such things. It can
    also be used together with social engineering. If people see an interesting
    link and click it, they don't expect the link to redirect back to the web
    application that they're logged in to and do nasty things there, but it can
    happen.

    (I'm not sure if this information was new or not, just some stuff I've had
    lying around in my notebooks for months without writing it up.)

    -- 
    Ulf Härnhammar, student, Uppsala Universitet
    "My ideas / often hit / platform six at London Bridge / took a train /
     thought of you / only until Waterloo"
    -- Vic Twenty, "Kiss You"
    På spaning efter den webbransch som flytt
     http://home.student.uu.se/ulha9485/text/webbransch.html
    kses - PHP HTML/XHTML filter
     http://sourceforge.net/projects/kses
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Sintelli SINTRAQ: "[Full-Disclosure] ByteHoard Directory Traversal Vulnerability"

    Relevant Pages

    • Re: HELP: strange php behavior downloading html
      ... problem in less than an hour, using cURL with PHP. ... Here is the function I wrote to download a uri into a file (following ... all redirects, ignoring old cookies, and passing set cookies to redirects): ...
      (comp.lang.php)
    • Re: [PHP] php redirection..
      ... What exactly do you have in mind when you mention "dynamic" meta tags? ... Using header will definitely not display any output from the page. ... Subject: [PHP] php redirection.. ... it redirects before it displays what ...
      (php.general)
    • Re: The Inquirer
      ... >>I could write a compiler for an arbitrary language and put this to open ... > Now go to the url with whatever web browser your using. ... PHP is open source. ... that the actual source code that makes ...
      (comp.os.vms)
    • Re: printing for dot matrix printers
      ... I'm looking a solutions dotmatrix printer solution for php. ... I need print a form or invoice to dotmatrix printer in browser. ... All major web browser know how to print a web page to ... If you want to ensure it prints in the way you want it to (as in an invoice), pdf is the way to go. ...
      (comp.lang.php)
    • Re: [PHP] PHP Java extension--hopeless?
      ... >>Fortunately I've made contact with the guy who developed the Java code, ... >>and he has a vested interest in getting it to work with PHP too, ... > do this over HTTPS instead of plain old HTTP ... Or a servlet filter is fine in this situation that redirects to the ...
      (php.general)