[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

From: Amit Klein <aksecurity@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Date: Fri, 05 Jan 2007 08:51:08 +0200

James Landis wrote:

Associating a timestamp and IP address with this scheme eliminates this attack.

Exactly, which retracts it to the algorithm I suggested earlier. Now, I don't do the session trick and one time use, because once you tie to the IP (+expiration), I don't see a lot of value in that.

On 1/4/07, *Amit Klein* <aksecurity@xxxxxxxxx <mailto:aksecurity@xxxxxxxxx>> wrote:

    Guy Podjarny wrote:
    > Another similar option is to use a single-use random value (not
    > encrypted), that gets invalidated after it's served back.
    >
    > You can save the random value on the (non persistent) session
    > (server-side), and serve the PDF only if the correct random
    value is
    > provided.
    > Once a random value has been used, it's cleared (single-use).
    > In any case where the wrong value is provided - recreate a
    random value,
    > save it on the session, and redirect to the PDF with it (same
    behavior
    > as when the token isn't provided at all).
    >
    >
    Here's an attack against this scheme:

    Attacker sends the user a link to
    http://www.attacker.site/script.cgi
    <http://www.attacker.site/script.cgi>

    When the user requests http://www.attacker.site/script.cgi, the
    script.cgi requests file.pdf from vuln.site. It gets back a
    redirection
    URL and a session cookie. Then, it creates a Flash object that
    requests
    the URL with an injected Cookie header (with the session cookie) and
    serves this to the victim client. Voila.


    ----------------------------------------------------------------------------
    The Web Security Mailing List:
    http://www.webappsec.org/lists/websecurity/

    The Web Security Mailing List Archives:
    http://www.webappsec.org/lists/websecurity/archive/
    <http://www.webappsec.org/lists/websecurity/archive/>
    http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Guy Podjarny
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Amit Klein
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: James Landis

Prev by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Previous by thread: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by thread: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site