Web Application Security
Re: Advanced XSS paper and semi-new attack Oct 20 2003 04:21PM
Härnhammar, Ulf (Ulf Harnhammar 9485 student uu se)
That's an interesting paper! Some points I thought about while reading it:

* Many environments (PHP, Perl+CGI.pm) accept both POSTed and GETted data. At
least in some circumstances, they just put it in a structure for incoming data
without much regard for what HTTP method was used.

* Several HTML constructs (<img>, <frame>, <iframe>..) will make the web
browser start fetching a URL as soon as the web browser sees it, without
asking the user first. In environments where there is either an XSS problem or
an HTML filter that allows these constructs, they can be used for either:

a) performing actions in a web application under other people's names. For
example, <img src="password-change.php?new=client&again=client">

b) using someone else as a proxy for cracking into some server. For example,
<frame
src="ftp://ftp.vulnerable.org/AAAAAAAAAAAAAAAAAAAAAbufferoverflowfromhel
lAAA">

* An additional difficulty is that web browsers accept redirects for images,
so someone could include an image ostensibly pointing to a PNG image on their
server but which immediately redirects to a mail sending script at your server.

* This evil redirect problem isn't just related to XSS and such things. It can
also be used together with social engineering. If people see an interesting
link and click it, they don't expect the link to redirect back to the web
application that they're logged in to and do nasty things there, but it can
happen.

(I'm not sure if this information was new or not, just some stuff I've had
lying around in my notebooks for months without writing it up.)

--
Ulf Härnhammar, student, Uppsala Universitet

"My ideas / often hit / platform six at London Bridge / took a train /
thought of you / only until Waterloo"
-- Vic Twenty, "Kiss You"

På spaning efter den webbransch som flytt
http://home.student.uu.se/ulha9485/text/webbransch.html

kses - PHP HTML/XHTML filter
http://sourceforge.net/projects/kses

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus