[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] JavaScript Malware, port scanning, and beyond

From: Achim Hoffmann <kirke11@xxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
Date: Wed, 2 Aug 2006 10:37:31 +0200 (MEST)



{-: Achim

On Tue, 1 Aug 2006, Amit Klein (AKsecurity) wrote:

!! On 1 Aug 2006 at 8:36, Billy Hoffman wrote:
!!
!! >
!! > What happens if the user/pass are wrong? Does the browser HTTP auth
!! > window pop like when you request protected resources using a request
!! > from JS like img.src?
!! >
!!
!! Yep :-(
!!
!! But hey, if you get it right the first shot, it works well ;-)
!!
!! -Amit

with XMLHttpRequest's open you either can pass username and password as
part of the URL (user:pass@http:/....), or use open() with username and
password parameter. In both cases XMLHttpRequest inserts the Authorization
header in the final request.
If the credentials are wrong, the server responds with 401, usually, then
you get the browser's popup window.

Amit, do you say that Flash shows the popup window itself?

{-: Achim


!! > -----Original Message-----
!! > From: Amit Klein (AKsecurity) [mailto:aksecurity@xxxxxxxxxx]
!! > Sent: Tue 8/1/2006 2:55 AM
!! > To: Jeremiah Grossman
!! > Cc: Web Security
!! > Subject: Re: [WEB SECURITY] JavaScript Malware, port scanning, and
!! > beyond
!! >
!! > Flash HTTP basic auth works nicely, e.g. authenticating as username
!! > "foo", password "bar":
!! >
!! >  var req:LoadVars=new LoadVars();
!! >  req.addRequestHeader("Authorization","Basic Zm9vOmJhcg==");
!! >
!! > req.send("http://www.vuln.site/some/script.cgi?param1=val1&param2=val2";,
!! > "_blank");
!! >
!! > So you can remote command devices/pages that require HTTP basic auth
!! > (assuming you have the
!! > credentials).
!! >
!! > -Amit
!! >
!! >
!! > On 31 Jul 2006 at 15:30, Jeremiah Grossman wrote:
!! >
!! > >
!! > > On Jul 31, 2006, at 4:27 PM, Amit Klein (AKsecurity) wrote:
!! > >
!! > > > On 31 Jul 2006 at 12:25, Jeremiah Grossman wrote:
!! > > >
!! > > >>
!! > > >> Brute Forcing Basic HTTP Auth:
!! > > >> HTTP Basic Auth has proven to be a worthy adversary when it come to
!! > > >> JavaScript Malware. If a target web server has a default u/p basic
!! > > >> auth, like so many DSL routers, and the victim is running Firefox/
!! > > >> Mozilla, your gold. Firefox/Mozilla support the url notation
!! > (http://
!! > > >> user:pass@host/), while Internet Explorer (IE) does not. So forcing
!! > > >> an authenticated Basic Auth request with IE is not possible (as
!! > best
!! > > >> we can tell).
!! > > >
!! > > > How about using Flash? you can then force the Authorization request
!! > > > header (I guess - I
!! > > > didn't try it), a-la my "Forging HTTP request headers with Flash":
!! > > >
!! > > > http://www.webappsec.org/lists/websecurity/archive/2006-07/
!! > > > msg00069.html
!! > > > (+ errata at http://www.webappsec.org/lists/websecurity/archive/
!! > > > 2006-07/msg00084.html)
!! > >
!! > > Hey, maybe! Thats why I posted the limitations, they just might cause
!! > > someone become interested. I don't have the test environment set up
!! > > to try it myself. Let us know what you find.
!! > >
!! > >
!! > > Jer-
!! > >
!! > >
!! > > ----------------------------------------------------------------------
!! > ------
!! > > The Web Security Mailing List:
!! > > http://www.webappsec.org/lists/websecurity/
!! > >
!! > > The Web Security Mailing List Archives:
!! > > http://www.webappsec.org/lists/websecurity/archive/
!! > > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
!! > >
!! >
!! >
!! >
!! > ------------------------------------------------------------------------
!! > ----
!! > The Web Security Mailing List:
!! > http://www.webappsec.org/lists/websecurity/
!! >
!! > The Web Security Mailing List Archives:
!! > http://www.webappsec.org/lists/websecurity/archive/
!! > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
!! >
!! >
!! >
!!
!!
!!
!! ----------------------------------------------------------------------------
!! The Web Security Mailing List:
!! http://www.webappsec.org/lists/websecurity/
!!
!! The Web Security Mailing List Archives:
!! http://www.webappsec.org/lists/websecurity/archive/
!! http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
!!


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
  - From: Amit Klein (AKsecurity)

References:
- RE: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
  - From: Amit Klein (AKsecurity)

Prev by Date: RE: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
Next by Date: [WEB SECURITY] XSS at Netcraft.com
Previous by thread: RE: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
Next by thread: Re: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site