[WEB SECURITY] JavaScript WebSite Login Checker
Jeremiah Grossman
jeremiah at whitehatsec.com
Thu Dec 14 11:30:54 EST 2006
blogged:
http://jeremiahgrossman.blogspot.com/2006/12/i-know-if-youre-logged-
in-anywhere.html
The CSS History hack [1] is a well-known brute force way to uncover
where a victim user has traveled. Great Firefox extensions like
SafeHistory [2] are helping protect against this simple hack, but the
cat and mouse game continues. Despite this tool, I’ve found a new way
to tell where the user has been AND also if they are “logged-in”.
People are frequently and persistently logged-in to popular websites.
Knowing which websites can also be extremely helpful to improving the
success rate of CSRF or Exponential XSS [3] attacks as well as other
nefarious information gathering activities.
The technique uses a similar method to JavaScript Port Scanning [4]
by matching errors from the JavaScript console. Many websites
requiring login have URL’s that return different HTML content
depending on if you logged-in or not. For instance, the “Account
Manager” web page can only be accessed if you’re properly
authenticated. If these URL’s are dynamically loaded into a <* script
src=””> tag, they will cause the JS Console to error differently
because the response is HTML, not JS. The type of error and line
number can be pattern matched.
Using Gmail as an example, <* script src=” http://mail.google.com/
mail/”>
If you are logged-in…
Error: XML tag name mismatch
Source File: http://mail.google.com/mail/
Line: 8, Column: 3
If you are NOT logged-in…
Error: invalid XML attribute value
Source File: http://mail.google.com/mail/
Line: 3, Column: 13
I mapped the error messages from a few popular websites and made some
PoC code.
Firefox Only! (1.5 – 2.0) tested on OS X and WinXP. I don’t want to
hear it about IE and Opera. :)
Proof-of-Concept available:
http://ha.ckers.org/weird/javascript-website-login-checker.html
thanks to RSnake for hosting
Enjoy!
Regards,
Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
http://www.whitehatsec.com/
[1] http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-
been.html
[2] http://www.safehistory.com/
[3] http://ha.ckers.org/blog/20061211/exponential-xss-attacks/
[4] http://www.whitehatsec.com/home/resources/presentations/files/
javascript_malware.pdf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061214/5aa5bf55/attachment.html>
More information about the websecurity
mailing list