[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
- From: "Billy Hoffman" <Billy.Hoffman@xxxxxxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
- Date: Tue, 1 Aug 2006 08:36:35 -0400
------_=_NextPart_001_01C6B567.483CC2D2
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
What happens if the user/pass are wrong? Does the browser HTTP auth =
window pop like when you request protected resources using a request =
from JS like img.src?
-----Original Message-----
From: Amit Klein (AKsecurity) [mailto:aksecurity@hotpop.com]
Sent: Tue 8/1/2006 2:55 AM
To: Jeremiah Grossman
Cc: Web Security
Subject: Re: [WEB SECURITY] JavaScript Malware, port scanning, and =
beyond
=20
Flash HTTP basic auth works nicely, e.g. authenticating as username =
"foo", password "bar":
var req:LoadVars=3Dnew LoadVars();
req.addRequestHeader("Authorization","Basic Zm9vOmJhcg=3D=3D");
=
req.send("http://www.vuln.site/some/script.cgi?param1=3Dval1¶m2=3Dval=
2","_blank");
So you can remote command devices/pages that require HTTP basic auth =
(assuming you have the=20
credentials).
-Amit
On 31 Jul 2006 at 15:30, Jeremiah Grossman wrote:
>=20
> On Jul 31, 2006, at 4:27 PM, Amit Klein (AKsecurity) wrote:
>=20
> > On 31 Jul 2006 at 12:25, Jeremiah Grossman wrote:
> >
> >>
> >> Brute Forcing Basic HTTP Auth:
> >> HTTP Basic Auth has proven to be a worthy adversary when it come to
> >> JavaScript Malware. If a target web server has a default u/p basic
> >> auth, like so many DSL routers, and the victim is running Firefox/
> >> Mozilla, your gold. Firefox/Mozilla support the url notation =
(http://
> >> user:pass@host/), while Internet Explorer (IE) does not. So forcing
> >> an authenticated Basic Auth request with IE is not possible (as =
best
> >> we can tell).
> >
> > How about using Flash? you can then force the Authorization request =
> > header (I guess - I
> > didn't try it), a-la my "Forging HTTP request headers with Flash":
> >
> > http://www.webappsec.org/lists/websecurity/archive/2006-07/=20
> > msg00069.html
> > (+ errata at http://www.webappsec.org/lists/websecurity/archive/=20
> > 2006-07/msg00084.html)
>=20
> Hey, maybe! Thats why I posted the limitations, they just might cause =
> someone become interested. I don't have the test environment set up =20
> to try it myself. Let us know what you find.
>=20
>=20
> Jer-
>=20
>=20
> =
-------------------------------------------------------------------------=
---
> The Web Security Mailing List:=20
> http://www.webappsec.org/lists/websecurity/
>=20
> The Web Security Mailing List Archives:=20
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>=20
-------------------------------------------------------------------------=
---
The Web Security Mailing List:=20
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:=20
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
------_=_NextPart_001_01C6B567.483CC2D2
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7233.69">
<TITLE>RE: [WEB SECURITY] JavaScript Malware, port scanning, and =
beyond</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=3D2>What happens if the user/pass are wrong? Does the =
browser HTTP auth window pop like when you request protected resources =
using a request from JS like img.src?<BR>
<BR>
-----Original Message-----<BR>
From: Amit Klein (AKsecurity) [<A =
HREF=3D"mailto:aksecurity@hotpop.com";>mailto:aksecurity@hotpop.com</A>]<B=
R>
Sent: Tue 8/1/2006 2:55 AM<BR>
To: Jeremiah Grossman<BR>
Cc: Web Security<BR>
Subject: Re: [WEB SECURITY] JavaScript Malware, port scanning, and =
beyond<BR>
<BR>
Flash HTTP basic auth works nicely, e.g. authenticating as username =
"foo", password "bar":<BR>
<BR>
var req:LoadVars=3Dnew LoadVars();<BR>
req.addRequestHeader("Authorization","Basic =
Zm9vOmJhcg=3D=3D");<BR>
req.send("<A =
HREF=3D"http://www.vuln.site/some/script.cgi?param1=3Dval1¶m2=3Dval2"=
>http://www.vuln.site/some/script.cgi?param1=3Dval1¶m2=3Dval2</A>&quo=
t;,"_blank");<BR>
<BR>
So you can remote command devices/pages that require HTTP basic auth =
(assuming you have the<BR>
credentials).<BR>
<BR>
-Amit<BR>
<BR>
<BR>
On 31 Jul 2006 at 15:30, Jeremiah Grossman wrote:<BR>
<BR>
><BR>
> On Jul 31, 2006, at 4:27 PM, Amit Klein (AKsecurity) wrote:<BR>
><BR>
> > On 31 Jul 2006 at 12:25, Jeremiah Grossman wrote:<BR>
> ><BR>
> >><BR>
> >> Brute Forcing Basic HTTP Auth:<BR>
> >> HTTP Basic Auth has proven to be a worthy adversary when =
it come to<BR>
> >> JavaScript Malware. If a target web server has a default =
u/p basic<BR>
> >> auth, like so many DSL routers, and the victim is running =
Firefox/<BR>
> >> Mozilla, your gold. Firefox/Mozilla support the url =
notation (<A HREF=3D"http://";>http://</A><BR>
> >> user:pass@host/), while Internet Explorer (IE) does not. =
So forcing<BR>
> >> an authenticated Basic Auth request with IE is not =
possible (as best<BR>
> >> we can tell).<BR>
> ><BR>
> > How about using Flash? you can then force the Authorization =
request <BR>
> > header (I guess - I<BR>
> > didn't try it), a-la my "Forging HTTP request headers =
with Flash":<BR>
> ><BR>
> > <A =
HREF=3D"http://www.webappsec.org/lists/websecurity/archive/2006-07/";>http=
://www.webappsec.org/lists/websecurity/archive/2006-07/</A><BR>
> > msg00069.html<BR>
> > (+ errata at <A =
HREF=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</A><BR>
> > 2006-07/msg00084.html)<BR>
><BR>
> Hey, maybe! Thats why I posted the limitations, they just might =
cause <BR>
> someone become interested. I don't have the test environment set =
up <BR>
> to try it myself. Let us know what you find.<BR>
><BR>
><BR>
> Jer-<BR>
><BR>
><BR>
> =
-------------------------------------------------------------------------=
---<BR>
> The Web Security Mailing List:<BR>
> <A =
HREF=3D"http://www.webappsec.org/lists/websecurity/";>http://www.webappsec=
.org/lists/websecurity/</A><BR>
><BR>
> The Web Security Mailing List Archives:<BR>
> <A =
HREF=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</A><BR>
> <A =
HREF=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A> [RSS Feed]<BR>
><BR>
<BR>
<BR>
<BR>
-------------------------------------------------------------------------=
---<BR>
The Web Security Mailing List:<BR>
<A =
HREF=3D"http://www.webappsec.org/lists/websecurity/";>http://www.webappsec=
.org/lists/websecurity/</A><BR>
<BR>
The Web Security Mailing List Archives:<BR>
<A =
HREF=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</A><BR>
<A =
HREF=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A> [RSS Feed]<BR>
<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C6B567.483CC2D2--
Brought to you by http://www.webappsec.org
Search this site
|