Web Application Security
Re: Help with referer issues in XSS Mar 07 2012 04:35AM
Yuping Li (lyp20062392 gmail com) (2 replies)
Re: Help with referer issues in XSS Mar 07 2012 06:48AM
Benedetto Nespoli (benedetto nespoli gmail com)
RE: Help with referer issues in XSS Mar 07 2012 06:01AM
Alan Tatourian (alan tatourian com)
If you want to create a script setting headers and exploiting XSS, that you
could redistribute to potential victims via email, you can't. But there are
number of ways to set a 'referer' via various tools or in lower level
languages. You could also write a script that would take a victim to an
evilguy.com which would do the harm setting headers, etc... There are other
more sophisticated ways like man-in-the-middle attacks that would also work.

Alan Tatourian

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Yuping Li
Sent: Tuesday, March 06, 2012 8:36 PM
To: Ward, Jon; ray.bradbury9 (at) gmail (dot) com [email concealed]; stefano.dipaola (at) wisec (dot) it [email concealed]
Cc: webappsec (at) securityfocus (dot) com [email concealed]; websecurity (at) webappsec (dot) org [email concealed]
Subject: Re: Help with referer issues in XSS

Hi,

Thanks for all your response. The premise of my situation is that there is a
XSS bug in the site, and I want to utilize this vul to do something more,
for example, forge some post requests in my js code, you may recall the
glorious "Samy" story here. But the server is now checking the referer field
of any request, and the expected referer should be like this:
http://(www.)example.com(/xxx).

And can't be:
1, no referer
2, (example.com.***).attack.com/...

Until last second, I came to realize that the host part in the referer
field can only be http://(www.)example.com, and the request will fail if the
referer contain some sort of "xss attempt", but I can only launch the post
requests in the xssed page which means the xss attempt will inevitable be
contained in the referer field of a normal request. Of course I can set it
with firefox addons, but there is no point here.

Seems if there is no programming way to set my own referer of my post
request and their xss detecting techniques of referer are good enough, I may
have no hope.

Yuping

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus