i wonder how easy it would be to code up a POC that checks for a gmail
session, then iframes it's way there, and then, assuming it logs in
[because of prior active session], starts an email spamming all your
contacts gmail has 'helpfully' saved.
i'm sure it'd be pretty successful,
-- mic
On 8/16/06, pdp (architect) <pdp.gnucitizen (at) googlemail (dot) com [email concealed]> wrote:
> Lazy Authorization Forcer
> http://www.gnucitizen.org/projects/javascript-authorization-forcer/
>
> This is an idea I am still developing but here you go POC is available
> and it works. The malicious JavaScript presented here will try to
> guess URLs that contain credentials. It is sort of Basic
> Authentication/FTP Authentication bruteforcer.
>
> The POC works well in IE6, IE7, Firefox and Opera. I wasn't able to
> suppress the Basic Authentication dialog when trying to create Basic
> Authentication Bruteforcer. However, I came up with this lazyForce
> implementation. A typical attack vector will be as the following:
>
> 1. The attacker discovers your internal IP
> 2. Based on your IP a class C range is enumerated using the Port
> Scanning or Visited Link Scanning technique.
> 3. Once a target is discovered a large enough dictionary is used to
> find valid credentials associated with each IP.
>
> In order to make IE work a style sheet that is embeded inside the
> current document needs to be reused. Read the provided source code for
> more information.
>
> Visited Link Scanner
> http://www.gnucitizen.org/projects/javascript-visited-link-scanner/
>
> This is a technique that I've learned from Jeremiah Grossman
> (http://jeremiahgrossman.blogspot.com/) and his presentation on
> JavaScript malware. Please, keep all the credits for this finding to
> Jeremiah.
>
> http://www.gnucitizen.org/projects/javascript-visited-link-scanner/visit
edlinkscanner.js
> The POC presented here is my improved version of the POC presented in
> BlackHat. I made it work well in IE6, IE7, Firefox and Opera. IE6 has
> very nasty disabilities when dealing with dynamically generated style
> sheets. However, these can be easy sorted out by reusing the current
> style sheet. If you are interested how it works just read the provided
> source code.
>
> Well, this is it.
>
> --
> pdp (architect)
> http://www.gnucitizen.org
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------
well, maybe. but the site where i talked about it is now gone :)
anyway, it really doesn't need to be so complicated with creating a
new 'style' section; just use the a:visited selector.
<style>
a { margin-left: 1px; }
a:visited { margin-left: 2px; }
</style>
then check for the margin.
---
i wonder how easy it would be to code up a POC that checks for a gmail
session, then iframes it's way there, and then, assuming it logs in
[because of prior active session], starts an email spamming all your
contacts gmail has 'helpfully' saved.
i'm sure it'd be pretty successful,
-- mic
On 8/16/06, pdp (architect) <pdp.gnucitizen (at) googlemail (dot) com [email concealed]> wrote:
> Lazy Authorization Forcer
> http://www.gnucitizen.org/projects/javascript-authorization-forcer/
>
> This is an idea I am still developing but here you go POC is available
> and it works. The malicious JavaScript presented here will try to
> guess URLs that contain credentials. It is sort of Basic
> Authentication/FTP Authentication bruteforcer.
>
> The POC works well in IE6, IE7, Firefox and Opera. I wasn't able to
> suppress the Basic Authentication dialog when trying to create Basic
> Authentication Bruteforcer. However, I came up with this lazyForce
> implementation. A typical attack vector will be as the following:
>
> 1. The attacker discovers your internal IP
> 2. Based on your IP a class C range is enumerated using the Port
> Scanning or Visited Link Scanning technique.
> 3. Once a target is discovered a large enough dictionary is used to
> find valid credentials associated with each IP.
>
> In order to make IE work a style sheet that is embeded inside the
> current document needs to be reused. Read the provided source code for
> more information.
>
> Visited Link Scanner
> http://www.gnucitizen.org/projects/javascript-visited-link-scanner/
>
> This is a technique that I've learned from Jeremiah Grossman
> (http://jeremiahgrossman.blogspot.com/) and his presentation on
> JavaScript malware. Please, keep all the credits for this finding to
> Jeremiah.
>
> http://www.gnucitizen.org/projects/javascript-visited-link-scanner/visit
edlinkscanner.js
> The POC presented here is my improved version of the POC presented in
> BlackHat. I made it work well in IE6, IE7, Firefox and Opera. IE6 has
> very nasty disabilities when dealing with dynamically generated style
> sheets. However, these can be easy sorted out by reusing the current
> style sheet. If you are interested how it works just read the provided
> source code.
>
> Well, this is it.
>
> --
> pdp (architect)
> http://www.gnucitizen.org
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------
>
>
[ reply ]