[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Traversing the Web (the javascript way)

From: "Billy Hoffman" <Billy.Hoffman@xxxxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Traversing the Web (the javascript way)
Date: Tue, 10 Oct 2006 14:37:10 -0400

pdp,

You have a small bug in your code. For your stage1 iframe to
proxydrop.com, you are not URL encoding your Base64ed value for the q
parameter.

If a do a spider of www.msblabs.org, the request for the stage1 iframe
looks like this:

GET
/index.php?hl=0010101001&q=aHR0cDovL3d3dy5nbnVjaXRpemVuLm9yZy9wcm9qZWN0c
y9qYXZhc2NyaXB0LXNwaWRlci9sYXVuY2guaHRtI3NwaWRlcjp3d3cubXNibGFicy5vcmc=
HTTP/1.1

The trailing = is part of the Base64ed data, and will cause you problems
if you need to send other name/value pairs after "q" in the URL to
proxydrop

Other than that, this is freaking awesome! I'm surprised that the
fragment of a parent's URL can be modified when the rest of the location
cannot be. However, fragments are considered to be a "client-side" part
of the URL and are processed by the browser, so I guess this makes
sense.

Keep up the good work,
Billy Hoffman
--
Lead Researcher, SPI Labs
SPI Dynamics Inc. - http://www.spidynamics.com
Phone:  678-781-4800
Direct:   678-781-4845

-----Original Message-----
From: pdp (architect) [mailto:pdp.gnucitizen@xxxxxxxxxxxxxx] 
Sent: Tuesday, October 10, 2006 3:00 AM
To: full-disclosure@xxxxxxxxxxxxxxxxx; websecurity@xxxxxxxxxxxxx
Subject: [WEB SECURITY] Traversing the Web (the javascript way)

http://www.gnucitizen.org/blog/traversing-the-web/

The paper that explains the nature of the JavaScript SPIDER can be
found at the location above. In this article I am take the concept of
request proxies further by showing how attackers can use them to write
JavaScript code that can bypass the same origin restriction. You might
be a bit confused with the point of this exercise. I agree that there
are quite a lot of tutorials and frameworks that go into depth of this
subject, however I am the implementation here is a bit different.

This technique together with Google AJAX Search API can be used by
JavaScript based worms to propagate outside of the current domain.

If you have any ideas of how to improve this technique or how to
prevent it from happening, don't hesitate to leave a comment.

-- 
pdp (architect)
http://www.gnucitizen.org

------------------------------------------------------------------------
----
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] Traversing the Web (the javascript way)
  - From: pdp (architect)

References:
- [WEB SECURITY] Traversing the Web (the javascript way)
  - From: pdp (architect)

Prev by Date: [WEB SECURITY] Traversing the Web (the javascript way)
Next by Date: [WEB SECURITY] http browser
Previous by thread: [WEB SECURITY] Traversing the Web (the javascript way)
Next by thread: Re: [WEB SECURITY] Traversing the Web (the javascript way)
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site