Full Disclosure mailing list archives
Fwd: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest
From: "Giorgio Fedon" <giorgio.fedon () gmail com>
Date: Sun, 4 Feb 2007 01:26:48 +0100
During the lecture we presented at 23C3 "Subverting Ajax" we focused on many topics about Ajax client side attacks. One of these was called Cross Domain Scripting (Aka XDS or AICS) that exploited a Http Request Splitting Vulnerability to bypass DOM restrictions and inject in realtime javascript code during the user browsing session. This kind of attack relies on: 1) Request Splitting Vulnerability (in Web Browser or Browser Plug-in like flash, + Web Proxy) 2) Frame Injection 3) Some tricks to make it working The goal was to have control over a browsing session among different domains, extending control and interaction. More info are in the last Chapter of our Subverting Ajax Paper (Autoinjecting Cross Domain Scripting): http://events.ccc.de/congress/2006/Fahrplan/events/1602.en.html At 23C3, we also had a nice conversation with Dan Kaminsky about the IE 6 vulnerability reported by Amit Klein, which was exploited to leverage the Request Splitting. Indeed Amit Klein did a great job and he's a pioneer in this kind of research. Giorgio Fedon, Stefano Di Paola
Amit Klein found the same vector that I used here for client-side
backdoors in May 2006 (still
not patched?! *shrieks in horror*), but for cache poisoning:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Web 2.0 backdoors made easy with MSIE & XMLHttpRequest Michal Zalewski (Feb 03)
- Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest Michal Zalewski (Feb 03)
- Message not available
- Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest Tyop? (Feb 03)
- Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest Michal Zalewski (Feb 03)
- Message not available
- Message not available
- Fwd: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest Giorgio Fedon (Feb 03)
- Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest Michal Zalewski (Feb 03)
- Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest James Matthews (Feb 03)
- Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest Amit Klein (Feb 04)
- Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest Troy Cregger (Feb 05)