BugTraq
Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Jan 04 2007 09:38PM
Amit Klein (aksecurity gmail com) (2 replies)
RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Jan 09 2007 08:40PM
Tom Spector (t spector f5 com)
RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Jan 04 2007 10:46PM
Guy Podjarny (gpodjarny watchfire com) (1 replies)
Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Jan 04 2007 10:58PM
Amit Klein (aksecurity gmail com)
Guy Podjarny wrote:
> Another similar option is to use a single-use random value (not
> encrypted), that gets invalidated after it's served back.
>
> You can save the random value on the (non persistent) session
> (server-side), and serve the PDF only if the correct random value is
> provided.
> Once a random value has been used, it's cleared (single-use).
> In any case where the wrong value is provided - recreate a random value,
> save it on the session, and redirect to the PDF with it (same behavior
> as when the token isn't provided at all).
>
>
Here's an attack against this scheme:

Attacker sends the user a link to http://www.attacker.site/script.cgi

When the user requests http://www.attacker.site/script.cgi, the
script.cgi requests file.pdf from vuln.site. It gets back a redirection
URL and a session cookie. Then, it creates a Flash object that requests
the URL with an injected Cookie header (with the session cookie) and
serves this to the victim client. Voila.

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus