Re: [WEB SECURITY] Advanced Web Attack Techniques using GMail

["Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>]

On 27 Jan 2006 at 14:18, Jeremiah Grossman wrote:

> A few months ago, I discovered a vulnerability in GMail where it  
> became trivial to compromise someone's email contact list. I  
> demonstrated the issue to a friend at Google by emailing his GMail  
> account with simple link. Upon clicking the link and viewing the  
> page, no XSS required, your contacts were displayed on screen (see  
> screenshot). From there the email addresses could be easily stolen.  
> Imagine if a spammer stumbled across this!
> 

Nice one!

Your trick involves "runtime" access to the confidential information inside the JS 
resource, by modifying the Array object constructor (BTW - did you try this with other 
objects, e.g. String? I think String would be more powerful). This is indeed cool. But 
there's another, quite similar technique I came up with (after reading your message), that 
grants access to the SOURCE CODE in some cases. Assuming the JS resource contains 
information inside FUNCTIONS, and that the interesting functions' names are known, then a 
simple funcname.valueOf() yields the function's source (including comments...). This works 
in IE 6.0.

In comparison to runtime techniques:
- valueOf() works only for functions, not for "free" code.
- valueOf() requires you to know the name of the function.
- valueOf() grants access to comments, dead code, un-executed branches.

Of course, I don't know how the GMail JS resource looks, so I can't tell if valueOf() would 
have been of help.

-Amit

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/