Full Disclosure mailing list archives
Re: Chrome and Safari users open to stealth HTML5 Application Cache attack
From: Chris Evans <scarybeasts () gmail com>
Date: Mon, 28 Jun 2010 06:51:56 -0700
Hello Lava, It's an interesting twist but it does not seem to offer network attackers any additional advantage beyond what they can already achieve. For example, a similar attack works against the Firefox and Opera browsers I have installed on my laptop: echo -ne 'HTTP/1.1 200 OK\r\nContent-Type: text/html\r\nContent-Length: 28\r\nExpires: Sat, 01 Jan 2011 00:00:00 GMT\r\n\r\n<script>alert("hi")</script>' | nc -l -p 8080 In both instances, you can prime the cache for the root resource with this payload. If you then completely restart the browsers, you'll see that localhost:8080/ will still execute the script without even consulting the network. (Caching headers are browser and version sensitive so you may have to fiddle with Max-Age, Cache-Control etc. depending on what you have). In terms of your documented attack, the fake login page (step 6) is shown over plain HTTP, i.e. the SSL lock icon will be missing. This would be the same user experience as if the user were under attack via SSLstrip. In summary, any http hit on an insecure network is dangerous on all browsers. (FWIW, Chromium resolves this for me. When I type mail<enter> into the omnibar, it auto-completes to https://mail.google.com/) Cheers Chris On Sun, Jun 27, 2010 at 3:28 PM, Lavakumar Kuppan <lava () andlabs org> wrote:
Google Chrome and Safari support HTML5 Application Cache. But unlike Firefox and Opera they do not ask for user permission before allowing a site to create an Application Cache. On unsecured networks, attackers could stealthily create malicious Application Caches in the browser of victims for even HTTPS sites. It has always been possible to poison the browser cache and compromise the victim's account for HTTP based sites. With HTML5 Application Cache, it is possible to poison the cache of even HTTPS sites. Details - http://blog.andlabs.org/2010/06/chrome-and-safari-users-open-to-stealth.html I have also released a POC using which both Facebook and Gmail can be compromised. POC - http://www.andlabs.org/tools/imposter/imposter_poc.zip Video - http://www.youtube.com/watch?v=00sKMMyXJsI Cheers, Lava http://www.andlabs.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Chrome and Safari users open to stealth HTML5 Application Cache attack Lavakumar Kuppan (Jun 28)
- Re: Chrome and Safari users open to stealth HTML5 Application Cache attack Chris Evans (Jun 28)
- Re: Chrome and Safari users open to stealth HTML5 Application Cache attack Dan Kaminsky (Jun 28)
- Re: Chrome and Safari users open to stealth HTML5 Application Cache attack Chris Evans (Jun 28)
- Re: Chrome and Safari users open to stealth HTML5 Application Cache attack Dan Kaminsky (Jun 28)
- Re: Chrome and Safari users open to stealth HTML5 Application Cache attack Michal Zalewski (Jun 28)
- Re: Chrome and Safari users open to stealth HTML5 Application Cache attack Lavakumar Kuppan (Jun 29)
- Re: Chrome and Safari users open to stealth HTML5 Application Cache attack Dan Kaminsky (Jun 28)
- Re: Chrome and Safari users open to stealth HTML5 Application Cache attack Chris Evans (Jun 28)