Web Application Security
Re: [WEB SECURITY] Help with referer issues in XSS Mar 05 2012 01:24PM
Stefano Di Paola (stefano dipaola wisec it)
Also check for:

5. www.example.com.attacker.com/.. as the referrer

just in case the referrer checking regexp is broken.

Cheers
Stefano

Il giorno ven, 02/03/2012 alle 18.30 -0800, super evr ha scritto:
> Here's a couple things to try that I've learned in my experience.
>
> First you can find out more about how the application is checking the REFERER.
> Find out if the application is only verifying parts of the REFERER or
> the entire URL. Try taking parts of the REFERER out and see if the
> request is still valid, for example:
> 1. www.example.com/profile.jsp [original]
> 2. www.example.com/arbitrary_page.jsp
> 3. [no referrer]
> 4. www.attacker.com/www.example.com/profile.jsp
>
> If you find a redirector on the site, you can use [2].
> If the request is allowed with no REFERER, the attack site can be
> hosted on HTTPS since HTTPS->HTTP won't send the REFERER [3].
> Create a new folder on the attack site with the URL of the victim site.
>
> If the referrer checking is strict [1], then the attack might now be
> as easy. Either way, vuln is still vuln.
>
> Phil
>
> On Mar 2, 2012, at 10:43 AM, Tim <tim-security (at) sentinelchicken (dot) org [email concealed]> wrote:
>
> >
> > Hello,
> >
> >
> >> Suppose there is a reflect XSS vulnerability in a pop SNS, but this
> >> site is "concerned" about security, so they check the referer field of
> >> certain POST request to make sure that they are normal and correct. Is
> >> it possible for me to bypass this check within javascript? It seems
> >> that I can't set this parameter like this:
> >>
> >> xmlHttp.setRequestHeader("Referer","http://expected.target");
> >>
> >> It would be appreciated if someone can give me a clue.
> >
> >
> > I'm always interested to see what the community's response is to this
> > question. It comes up relatively frequently in the context of CSRF
> > (since this kind of checking can mitigate CSRF). Often most people
> > are skeptical that this kind of checking is sufficient to prevent CSRF
> > and reflected XSS, but in recent times, I am not aware of a way around
> > it in the general case.
> >
> > Old versions of Flash do allow one to set Referer cross-domain, but it
> > is my impression this was fixed quite some time ago. Various XHR API
> > vulnerabilities have also existed in the past to allow for injection
> > of restricted headers, like Referer, but these could be seen as
> > browser vulnerabilities.
> >
> > Recently [1] it was pointed out how headers containing '-' can be
> > spoofed due to foolishness in CGI-compatible APIs that transliterate
> > header names, but Referer of course doesn't have a '-'.
> >
> > Can anyone give an example of how one would get around Referer
> > checking?
> >
> > tim
> >
> >
> > 1. http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/201
2-January/008170.html
> >
> > _______________________________________________
> > The Web Security Mailing List
> >
> > WebSecurity RSS Feed
> > http://www.webappsec.org/rss/websecurity.rss
> >
> > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> > WASC on Twitter
> > http://twitter.com/wascupdates
> >
> > websecurity (at) lists.webappsec (dot) org [email concealed]
> > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity (at) lists.webappsec (dot) org [email concealed]
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org
>

--
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer

Owasp Italy R&D Director

Web: www.wisec.it
Twitter: http://twitter.com/WisecWisec
..................

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus