Full Disclosure mailing list archives
Re: The Extended HTML Form attack revisited
From: "Sandro Gauci" <publists () enablesecurity com>
Date: Tue, 24 Jun 2008 11:02:13 +0200
Updated the paper with a table of ports that are blocked for each browser: http://tinyurl.com/5d88ll The results show that Firefox and Safari block exactly the same ports, while Opera makes use of its list of ports. Internet Explorer blocks only 6 ports. The blog post describes how I did this in detail: http://enablesecurity.com/2008/06/23/which-ports-do-web-browsers-block/ or http://tinyurl.com/3oltlq Involves javascript and a packet capture. On Thu, Jun 19, 2008 at 3:09 AM, kuza55 <kuza55 () gmail com> wrote:
Hi, Just thought I'd let you know that Wade Alcorn wrote a similar paper in 2006: http://www.bindshell.net/papers/ipc (Using IMAP3 too), but of course things have changed since then (namely this attack not working against Firefox 2 or 3). Also, there is a complete list of ports that Firefox blocks here: http://www.mozilla.org/projects/netlib/PortBanning.html (which Wade's paper references), and the default protocol handlers which can speak to the blocked ports. Do you know if there's a list of ports published by Microsoft/Opera/Apple about which ports are blocked in their browsers? If not, would you be able to publish the ports you found blocked in an appendix (I'm sure it wouldn't be too much code to whip up to test it, but if you've already done so then there's no point in duplicating work)? I also did some digging myself and found that the reason Firefox doesn't render the response as HTML is because it searches for the string "http" (case-insensitive, no quotes) in the first 8 bytes of the response; if you can satisfy that condition somehow then you can still get it to happen, but of course that seems pretty unlikely. IE also tries to search for a string, in this case "http/" (case-insensitive, no quotes) in the first 1024 bytes, but only so that it can identify http headers, so if you can inject data into the first 1024 bytes of the response you can inject headers to do cache poisoning, etc. (You can probably do header injection against Firefox if you can trigger this, but the problem is of course triggering it on FIrefox) - kuza55 2008/6/19 Sandro Gauci <publists () enablesecurity com>:Hi - Back in 2002 I had published details of a vulnerability affecting most web browsers. It detailed a security flaw that allows attackers to abuse non-HTTP protocols to launch Cross Site Scripting attacks even when a target web application was not vulnerable to XSS. Six years later I'm releasing an update to this research in this paper. This security vulnerability still affects popular web browsers nowadays and the following browsers were tested as vulnerable: * Internet Explorer 6 * Internet Explorer 7 * Internet Explorer 8 (beta 1) * Opera 9.27 * Opera 9.50 * Safari 1.32 * Safari 3.1.1 Others have described how to abuse behavior for purposes other than Cross Site Scripting. NGSSoftware previously published a paper called "Inter-Protocol Exploitation" which references the original EyeonSecurity paper. Paper at: http://resources.enablesecurity.com/resources/the%20extended%20html%20form%20attack%20revisited.pdf or http://tinyurl.com/5d88ll -- Sandro Gauci EnableSecurity Web: http://enablesecurity.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Sandro Gauci Owner and Founder of EnableSecurity Phone: +356 99463069 Email: sandro () enablesecurity com Web: http://enablesecurity.com/ PGP: 514D B10C 8C3C 15BB 2EFD 49EC 7CCD 73C5 0295 F23B _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- The Extended HTML Form attack revisited Sandro Gauci (Jun 18)
- Re: The Extended HTML Form attack revisited kuza55 (Jun 18)
- Re: The Extended HTML Form attack revisited Sandro Gauci (Jun 24)
- Re: The Extended HTML Form attack revisited kuza55 (Jun 18)