[Full-disclosure] RE: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein

From: Sergey V. Gordeychik (gordey_at_itsecurity.ru)
Date: 09/30/05

  • Next message: ZATAZ Audits: "[Full-disclosure] apachetop insecure temporary file creation" 
    Date: Fri, 30 Sep 2005 10:00:55 +0400
To: <bugtraq@securityfocus.com>, <full-disclosure@lists.grok.org.uk>

    Hi list.

    I checked some ideas and think that reflected XSS in user-agent and
    other http request headers fileds (cookies for example) can be exploited
    via http request smuggling\splitting cache poisoning attacks using
    described techniques.
    So vendors who discard such vulnerabilities as not explotable should
    take it into account.

    Regards,
    Sergey V. Gordeychik,
    MCSE, MCT, CISSP
     
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: ZATAZ Audits: "[Full-disclosure] apachetop insecure temporary file creation"

    Relevant Pages

    • RE: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein
      ... other http request headers fileds (cookies for example) can be exploited ...
      (Bugtraq)
    • Re: Can I see HTTP request sent my IE.
      ... >I am writing a webcrawler, so to speak, and for some reason, this one ... What I don't know is if there are other fields header ... or other stuff like cookies. ... > allow me to see the entire HTTP request, ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Can I see HTTP request sent my IE.
      ... > I am writing a webcrawler, so to speak, and for some reason, this one ... > other fields header fields that might be important, ... > connection and allow me to see the entire HTTP request, ... > headers and cookies so that I can see what happens when I navigate ...
      (microsoft.public.dotnet.framework.aspnet)
    • access HTTP request parameters?
      ... I have a rather complex 3rd party web application using Cookies ... the users browser to load an applet. ... set in the HTTP request used to load applet.jar to the client. ...
      (comp.lang.java.programmer)
    • Re: access HTTP request parameters?
      ... Is there a way to access the Cookie-Header (or any other HTTP request header) of the HTTP request that was used to load the applet's jar file? ... I haven't really tried but does opening a connection from the applet code goes through the host/browser libraries, therefore cookies being automatically set? ...
      (comp.lang.java.programmer)