WebApp Sec mailing list archives
Re: [WEB SECURITY] Help with referer issues in XSS
From: Stefano Di Paola <stefano.dipaola () wisec it>
Date: Mon, 05 Mar 2012 14:24:07 +0100
Also check for: 5. www.example.com.attacker.com/.. as the referrer just in case the referrer checking regexp is broken. Cheers Stefano Il giorno ven, 02/03/2012 alle 18.30 -0800, super evr ha scritto:
Here's a couple things to try that I've learned in my experience. First you can find out more about how the application is checking the REFERER. Find out if the application is only verifying parts of the REFERER or the entire URL. Try taking parts of the REFERER out and see if the request is still valid, for example: 1. www.example.com/profile.jsp [original] 2. www.example.com/arbitrary_page.jsp 3. [no referrer] 4. www.attacker.com/www.example.com/profile.jsp If you find a redirector on the site, you can use [2]. If the request is allowed with no REFERER, the attack site can be hosted on HTTPS since HTTPS->HTTP won't send the REFERER [3]. Create a new folder on the attack site with the URL of the victim site. If the referrer checking is strict [1], then the attack might now be as easy. Either way, vuln is still vuln. Phil On Mar 2, 2012, at 10:43 AM, Tim <tim-security () sentinelchicken org> wrote:Hello,Suppose there is a reflect XSS vulnerability in a pop SNS, but this site is "concerned" about security, so they check the referer field of certain POST request to make sure that they are normal and correct. Is it possible for me to bypass this check within javascript? It seems that I can't set this parameter like this: xmlHttp.setRequestHeader("Referer","http://expected.target"); It would be appreciated if someone can give me a clue.I'm always interested to see what the community's response is to this question. It comes up relatively frequently in the context of CSRF (since this kind of checking can mitigate CSRF). Often most people are skeptical that this kind of checking is sufficient to prevent CSRF and reflected XSS, but in recent times, I am not aware of a way around it in the general case. Old versions of Flash do allow one to set Referer cross-domain, but it is my impression this was fixed quite some time ago. Various XHR API vulnerabilities have also existed in the past to allow for injection of restricted headers, like Referer, but these could be seen as browser vulnerabilities. Recently [1] it was pointed out how headers containing '-' can be spoofed due to foolishness in CGI-compatible APIs that transliterate header names, but Referer of course doesn't have a '-'. Can anyone give an example of how one would get around Referer checking? tim 1. http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-January/008170.html _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity () lists webappsec org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org_______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity () lists webappsec org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-- ...oOOo...oOOo.... Stefano Di Paola Software & Security Engineer Owasp Italy R&D Director Web: www.wisec.it Twitter: http://twitter.com/WisecWisec .................. This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Help with referer issues in XSS Yuping Li (Mar 06)
- Message not available
- Message not available
- Re: [WEB SECURITY] Help with referer issues in XSS Stefano Di Paola (Mar 06)
- Message not available
- Message not available
- Re: Help with referer issues in XSS gorka - (Mar 06)
- Message not available
- Re: Help with referer issues in XSS Yuping Li (Mar 06)
- RE: Help with referer issues in XSS Alan Tatourian (Mar 06)
- Re: Help with referer issues in XSS Benedetto Nespoli (Mar 07)
- Re: Help with referer issues in XSS Yuping Li (Mar 06)