WebApp Sec mailing list archives
The Extended HTML Form attack revisited
From: publists () enablesecurity com
Date: 18 Jun 2008 13:13:39 -0000
Hi - Back in 2002 I had published details of a vulnerability affecting most web browsers. It detailed a security flaw that allows attackers to abuse non-HTTP protocols to launch Cross Site Scripting attacks even when a target web application was not vulnerable to XSS. Six years later I'm releasing an update to this research in this paper. This security vulnerability still affects popular web browsers nowadays and the following browsers were tested as vulnerable: * Internet Explorer 6 * Internet Explorer 7 * Internet Explorer 8 (beta 1) * Opera 9.27 * Opera 9.50 * Safari 1.32 * Safari 3.1.1 Others have described how to abuse behavior for purposes other than Cross Site Scripting. NGSSoftware previously published a paper called "Inter-Protocol Exploitation" which references the original EyeonSecurity paper. Paper at: http://resources.enablesecurity.com/resources/the%20extended%20html%20form%20attack%20revisited.pdf or http://tinyurl.com/5d88ll -- Sandro Gauci EnableSecurity Web: http://enablesecurity.com/ ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- The Extended HTML Form attack revisited publists (Jun 19)