[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
- From: "Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>
- Subject: RE: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
- Date: Tue, 01 Aug 2006 18:56:37 +0200
On 1 Aug 2006 at 8:36, Billy Hoffman wrote:
>
> What happens if the user/pass are wrong? Does the browser HTTP auth
> window pop like when you request protected resources using a request
> from JS like img.src?
>
Yep :-(
But hey, if you get it right the first shot, it works well ;-)
-Amit
> -----Original Message-----
> From: Amit Klein (AKsecurity) [mailto:aksecurity@xxxxxxxxxx]
> Sent: Tue 8/1/2006 2:55 AM
> To: Jeremiah Grossman
> Cc: Web Security
> Subject: Re: [WEB SECURITY] JavaScript Malware, port scanning, and
> beyond
>
> Flash HTTP basic auth works nicely, e.g. authenticating as username
> "foo", password "bar":
>
> var req:LoadVars=new LoadVars();
> req.addRequestHeader("Authorization","Basic Zm9vOmJhcg==");
>
> req.send("http://www.vuln.site/some/script.cgi?param1=val1¶m2=val2";,
> "_blank");
>
> So you can remote command devices/pages that require HTTP basic auth
> (assuming you have the
> credentials).
>
> -Amit
>
>
> On 31 Jul 2006 at 15:30, Jeremiah Grossman wrote:
>
> >
> > On Jul 31, 2006, at 4:27 PM, Amit Klein (AKsecurity) wrote:
> >
> > > On 31 Jul 2006 at 12:25, Jeremiah Grossman wrote:
> > >
> > >>
> > >> Brute Forcing Basic HTTP Auth:
> > >> HTTP Basic Auth has proven to be a worthy adversary when it come to
> > >> JavaScript Malware. If a target web server has a default u/p basic
> > >> auth, like so many DSL routers, and the victim is running Firefox/
> > >> Mozilla, your gold. Firefox/Mozilla support the url notation
> (http://
> > >> user:pass@host/), while Internet Explorer (IE) does not. So forcing
> > >> an authenticated Basic Auth request with IE is not possible (as
> best
> > >> we can tell).
> > >
> > > How about using Flash? you can then force the Authorization request
> > > header (I guess - I
> > > didn't try it), a-la my "Forging HTTP request headers with Flash":
> > >
> > > http://www.webappsec.org/lists/websecurity/archive/2006-07/
> > > msg00069.html
> > > (+ errata at http://www.webappsec.org/lists/websecurity/archive/
> > > 2006-07/msg00084.html)
> >
> > Hey, maybe! Thats why I posted the limitations, they just might cause
> > someone become interested. I don't have the test environment set up
> > to try it myself. Let us know what you find.
> >
> >
> > Jer-
> >
> >
> > ----------------------------------------------------------------------
> ------
> > The Web Security Mailing List:
> > http://www.webappsec.org/lists/websecurity/
> >
> > The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
>
>
>
> ------------------------------------------------------------------------
> ----
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Brought to you by http://www.webappsec.org
Search this site
|