[WEB SECURITY] JavaScript Malware, port scanning, and beyond
Achim Hoffmann
kirke11 at securenet.de
Wed Aug 2 04:37:31 EDT 2006
{-: Achim
On Tue, 1 Aug 2006, Amit Klein (AKsecurity) wrote:
!! On 1 Aug 2006 at 8:36, Billy Hoffman wrote:
!!
!! >
!! > What happens if the user/pass are wrong? Does the browser HTTP auth
!! > window pop like when you request protected resources using a request
!! > from JS like img.src?
!! >
!!
!! Yep :-(
!!
!! But hey, if you get it right the first shot, it works well ;-)
!!
!! -Amit
with XMLHttpRequest's open you either can pass username and password as
part of the URL (user:pass at http:/....), or use open() with username and
password parameter. In both cases XMLHttpRequest inserts the Authorization
header in the final request.
If the credentials are wrong, the server responds with 401, usually, then
you get the browser's popup window.
Amit, do you say that Flash shows the popup window itself?
{-: Achim
!! > -----Original Message-----
!! > From: Amit Klein (AKsecurity) [mailto:aksecurity at hotpop.com]
!! > Sent: Tue 8/1/2006 2:55 AM
!! > To: Jeremiah Grossman
!! > Cc: Web Security
!! > Subject: Re: [WEB SECURITY] JavaScript Malware, port scanning, and
!! > beyond
!! >
!! > Flash HTTP basic auth works nicely, e.g. authenticating as username
!! > "foo", password "bar":
!! >
!! > var req:LoadVars=new LoadVars();
!! > req.addRequestHeader("Authorization","Basic Zm9vOmJhcg==");
!! >
!! > req.send("http://www.vuln.site/some/script.cgi?param1=val1¶m2=val2",
!! > "_blank");
!! >
!! > So you can remote command devices/pages that require HTTP basic auth
!! > (assuming you have the
!! > credentials).
!! >
!! > -Amit
!! >
!! >
!! > On 31 Jul 2006 at 15:30, Jeremiah Grossman wrote:
!! >
!! > >
!! > > On Jul 31, 2006, at 4:27 PM, Amit Klein (AKsecurity) wrote:
!! > >
!! > > > On 31 Jul 2006 at 12:25, Jeremiah Grossman wrote:
!! > > >
!! > > >>
!! > > >> Brute Forcing Basic HTTP Auth:
!! > > >> HTTP Basic Auth has proven to be a worthy adversary when it come to
!! > > >> JavaScript Malware. If a target web server has a default u/p basic
!! > > >> auth, like so many DSL routers, and the victim is running Firefox/
!! > > >> Mozilla, your gold. Firefox/Mozilla support the url notation
!! > (http://
!! > > >> user:pass at host/), while Internet Explorer (IE) does not. So forcing
!! > > >> an authenticated Basic Auth request with IE is not possible (as
!! > best
!! > > >> we can tell).
!! > > >
!! > > > How about using Flash? you can then force the Authorization request
!! > > > header (I guess - I
!! > > > didn't try it), a-la my "Forging HTTP request headers with Flash":
!! > > >
!! > > > http://www.webappsec.org/lists/websecurity/archive/2006-07/
!! > > > msg00069.html
!! > > > (+ errata at http://www.webappsec.org/lists/websecurity/archive/
!! > > > 2006-07/msg00084.html)
!! > >
!! > > Hey, maybe! Thats why I posted the limitations, they just might cause
!! > > someone become interested. I don't have the test environment set up
!! > > to try it myself. Let us know what you find.
!! > >
!! > >
!! > > Jer-
!! > >
!! > >
!! > > ----------------------------------------------------------------------
!! > ------
!! > > The Web Security Mailing List:
!! > > http://www.webappsec.org/lists/websecurity/
!! > >
!! > > The Web Security Mailing List Archives:
!! > > http://www.webappsec.org/lists/websecurity/archive/
!! > > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
!! > >
!! >
!! >
!! >
!! > ------------------------------------------------------------------------
!! > ----
!! > The Web Security Mailing List:
!! > http://www.webappsec.org/lists/websecurity/
!! >
!! > The Web Security Mailing List Archives:
!! > http://www.webappsec.org/lists/websecurity/archive/
!! > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
!! >
!! >
!! >
!!
!!
!!
!! ----------------------------------------------------------------------------
!! The Web Security Mailing List:
!! http://www.webappsec.org/lists/websecurity/
!!
!! The Web Security Mailing List Archives:
!! http://www.webappsec.org/lists/websecurity/archive/
!! http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
!!
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list