[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] (XSS via file extension) XSS-Phishing on Financial Sites
- From: "Matt Fisher" <mfisher@xxxxxxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] (XSS via file extension) XSS-Phishing on Financial Sites
- Date: Wed, 28 Jun 2006 10:14:05 -0400
------_=_NextPart_001_01C69ABD.1D57BC98
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
>>JPG on the server that then breaks is a little more obvious - at least =
to me.
=20
Now I am thinking that I did miss something. Does the jpeg have to =
break ? Is there anything that would keep your own embedded script in =
the fake jpeg from drawing a real jpeg as well ? For instance, load up a =
fake (script) image to the server, load up a real one, fake (script) =
image runs an exploit and then draws an image tag with the real one as =
the source, or an off-site one, etc.=20
=20
=20
I played with object and embed tags a bit last night and got no soup. =
Of course qualifying that as just casual playing, not seriously =
concerted research. =20
=20
=20
________________________________
From: RSnake [mailto:rsnake@shocking.com]
Sent: Wed 6/28/2006 12:25 AM
To: Matt Fisher
Cc: Web Security
Subject: RE: [WEB SECURITY] (XSS via file extension) XSS-Phishing on =
Financial Sites
> RSnake: I hear you about the SE elements, but really; a trusted =
extension on a trusted site ? Not a very tough SE hack really, unless =
I'm missing something. Would be sweet if it worked in an image tag =
though. Must be a way ....
Yes, you can fool someone into clicking on a link by saying "hey look at
my cool picture I uploaded", but that's far far less effective for large
scale attacks than automatic script execution. So yes, it's just an SE
hack, but another variant of the same SE is to get someone to click on a
link to another site "Look at this interesting article I found on the
web that is relating to the topic in question.".
That site can then iframe the .jpg file with your JavaScript in it.
That iframe will keep the same origin policy and therefor run in the
context of the victim domain in question. Still an SE hack, but it
doesn't look out of the ordinary (and may not look like anything at all
if the iframe is hidden by CSS). Getting someone to click a link to a
JPG on the server that then breaks is a little more obvious - at least
to me.
So sure, if you use an iframe to frame the image (requiring HTML
injection) that'll work for automatic execution, which is actually one
way I could see that someone might have implemented that for avatars on
some messageboard somewhere (that's how Adsense and YPN pull in their
listings inside the JavaScript tag for instance). I don't disbelieve
Adrian saw what he thought he saw, but it wasn't inside of an image tag.
Other possibles are object tags, embed tags, etc... There are lots
other ways to do it.
-RSnake
http://ha.ckers.org/
http://ha.ckers.org/xss.html
http://ha.ckers.org/blog/feed/
------_=_NextPart_001_01C69ABD.1D57BC98
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">=0A=
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">=0A=
<HTML>=0A=
<HEAD>=0A=
=0A=
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7233.69">=0A=
<TITLE>RE: [WEB SECURITY] (XSS via file extension) XSS-Phishing on =
Financial Sites</TITLE>=0A=
</HEAD>=0A=
<BODY>=0A=
<DIV id=3DidOWAReplyText53663 dir=3Dltr>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>>><FONT =0A=
face=3D"Times New Roman">JPG on the server that then breaks is a little =
more =0A=
obvious - at least to me.</FONT></FONT></DIV>=0A=
<DIV dir=3Dltr><FONT size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><FONT size=3D2>Now I am thinking that I did miss =
something. =0A=
Does the jpeg have to break ? Is there anything that would keep your own =0A=
embedded script in the fake jpeg from drawing a real jpeg as well ? For =0A=
instance, load up a fake (script) image to the server, load up a real =
one, fake =0A=
(script) image runs an exploit and then draws an image tag with the real =
one as =0A=
the source, or an off-site one, etc. </FONT></DIV>=0A=
<DIV dir=3Dltr><FONT size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><FONT size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>I played with =
object and =0A=
embed tags a bit last night and got no soup. Of course qualifying =
that as =0A=
just casual playing, not seriously concerted research. =
</FONT><FONT =0A=
face=3DArial color=3D#000000 size=3D2></FONT></DIV></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><BR></DIV>=0A=
<DIV dir=3Dltr>=0A=
<HR tabIndex=3D-1>=0A=
</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DTahoma size=3D2><B>From:</B> RSnake =0A=
[mailto:rsnake@shocking.com]<BR><B>Sent:</B> Wed 6/28/2006 12:25 =0A=
AM<BR><B>To:</B> Matt Fisher<BR><B>Cc:</B> Web =
Security<BR><B>Subject:</B> RE: =0A=
[WEB SECURITY] (XSS via file extension) XSS-Phishing on Financial =0A=
Sites<BR></FONT><BR></DIV>=0A=
<DIV><BR>=0A=
<P><FONT size=3D2>> RSnake: I hear you about the SE elements, but =
really; a =0A=
trusted extension on a trusted site ? Not a very tough SE hack really, =
unless =0A=
I'm missing something. Would be sweet if it worked in an image tag =0A=
though. Must be a way ....<BR><BR>Yes, you can fool someone into =
clicking =0A=
on a link by saying "hey look at<BR>my cool picture I uploaded", but =
that's far =0A=
far less effective for large<BR>scale attacks than automatic script =0A=
execution. So yes, it's just an SE<BR>hack, but another variant of =
the =0A=
same SE is to get someone to click on a<BR>link to another site "Look at =
this =0A=
interesting article I found on the<BR>web that is relating to the topic =
in =0A=
question.".<BR><BR>That site can then iframe the .jpg file with your =
JavaScript =0A=
in it.<BR>That iframe will keep the same origin policy and therefor run =
in =0A=
the<BR>context of the victim domain in question. Still an SE hack, =
but =0A=
it<BR>doesn't look out of the ordinary (and may not look like anything =
at =0A=
all<BR>if the iframe is hidden by CSS). Getting someone to click a =
link to =0A=
a<BR>JPG on the server that then breaks is a little more obvious - at =0A=
least<BR>to me.<BR><BR>So sure, if you use an iframe to frame the image =0A=
(requiring HTML<BR>injection) that'll work for automatic execution, =
which is =0A=
actually one<BR>way I could see that someone might have implemented that =
for =0A=
avatars on<BR>some messageboard somewhere (that's how Adsense and YPN =
pull in =0A=
their<BR>listings inside the JavaScript tag for instance). I don't =0A=
disbelieve<BR>Adrian saw what he thought he saw, but it wasn't inside of =
an =0A=
image tag.<BR>Other possibles are object tags, embed tags, etc... =
There =0A=
are lots<BR>other ways to do it.<BR><BR>-RSnake<BR><A =0A=
href=3D"http://ha.ckers.org/";>http://ha.ckers.org/</A><BR><A =0A=
href=3D"http://ha.ckers.org/xss.html";>http://ha.ckers.org/xss.html</A><BR=
><A =0A=
href=3D"http://ha.ckers.org/blog/feed/";>http://ha.ckers.org/blog/feed/</A=
><BR></FONT></P></DIV>=0A=
=0A=
</BODY>=0A=
</HTML>
------_=_NextPart_001_01C69ABD.1D57BC98--
Brought to you by http://www.webappsec.org
Search this site
|