[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

From: Amit Klein <aksecurity@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Date: Fri, 05 Jan 2007 20:23:21 +0200

James Landis wrote:

I never said your solution was WEAK, just that is is WEAKER.

I think you're missing my point. An algorithm with one-use token (with no IP binding) is the weaker algorithm. Here's an attack against it:

Attacker sends the user a link to http://www.attacker.site/script.cgi

When the user requests http://www.attacker.site/script.cgi, the script.cgi requests file.pdf from vuln.site. It gets back a redirection URL and a session cookie/one-use-cookie. Then, it creates a Flash object that requests the URL with an injected Cookie header (with the session cookie/one-use-cookie) and serves this to the victim client. Voila.

Yes, it is still theoretically very difficult to construct valid tokens by breaking the encryption algorithm,

You mean, it's as difficult as, say, breaking the streaming encryption of SSL... (if we implement with say AES based algo) the de-facto standard, considered pretty secure.

but it is certainly weaker to expose reconstructable values to the client than to expose only a random value from the same keyspace. Also note the class of insider attacks which involve gaining the key and algorithm without reversing it.

An insider can probably manipulate the server in this case, which is end-game. He can also probably steal the SSL private key, etc.

In addition, if the server is using a published algorithm, the attacker can also mount chosen-key attacks as well.

Huh? cipher algorithms are usually public. And I don't get the "chosen key attack"? the whole idea is that the key is secret, maintained on the server. If the attacker chooses this key, then the game is over...

In practice, for both methods it is probably easier to attack the client by forcing them to use a valid generated token via one of the attack schemes already discussed.

What attack methods do you refer to, which are applicable to my algorithm?

-Amit

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: James Landis

References:
- [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: pdp (architect)
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Amit Klein
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Amit Klein
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: James Landis
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: RSnake
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Amit Klein
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: James Landis
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Amit Klein
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: James Landis

Prev by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Previous by thread: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by thread: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site