Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

whitepaper: Identifier based XSSI attacks

From: Takeshi Terada <mbsdtest01 () gmail com>
Date: Tue, 14 Apr 2015 21:34:54 +0900
Hello list members,

We released a new technical whitepaper titled:
"Identifier based XSSI attacks"

CVE numbers:
CVE-2014-6345, CVE-2014-7939

URL:
http://www.mbsd.jp/Whitepaper/xssi.pdf

Introduction:
-------------------------------
Cross Site Script Inclusion (XSSI) is an attack technique (or a
vulnerability) that enables attackers to steal data of certain types
across origin boundaries, by including target data using SCRIPT tag in
an attacker's Web page as below:

<!-- attacker's page loads external data with SCRIPT tag -->
<SCRIPT src="http://target.example.jp/secret";></SCRIPT>

For years, XSSI has been known among Web security researchers that
JavaScript file, JSONP and, in certain old browsers, JSON data are
subject to this type of information theft attacks. In addition, some
browser vulnerabilities, that allow attackers to gain information via
JavaScript error messages, have been discovered and fixed in the past.

In 2014, we conducted research on this old topic and discovered some
new attack techniques and browser vulnerabilities that allow attackers
to steal simple text strings such as CSV, and more complex data under
certain circumstances. In the research, we mainly focused on a method
of stealing data as a client side script's identifier (variable or
function name).

In this paper, we first describe these attack techniques / browser
vulnerabilities in the next section and then discuss countermeasures
for these issues.
-------------------------------

Other white papers released last year are available here:
http://www.mbsd.jp/insight.html

- Attacking Android browsers via intent scheme URLs
  http://www.mbsd.jp/Whitepaper/IntentScheme.pdf

- FilterExpression Injection attacks against ASP.NET applications
  http://www.mbsd.jp/Whitepaper/FilterExpression.pdf

--
Takeshi Terada @ Mitsui Bussan Secure Directions, Inc.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: