[WEB SECURITY] JavaScript WebSite Login Checker

Jeremiah Grossman jeremiah at whitehatsec.com
Thu Dec 14 11:30:54 EST 2006


The CSS History hack [1] is a well-known brute force way to uncover  
where a victim user has traveled. Great Firefox extensions like  
SafeHistory [2] are helping protect against this simple hack, but the  
cat and mouse game continues. Despite this tool, I’ve found a new way  
to tell where the user has been AND also if they are “logged-in”.  
People are frequently and persistently logged-in to popular websites.  
Knowing which websites can also be extremely helpful to improving the  
success rate of CSRF or Exponential XSS [3] attacks as well as other  
nefarious information gathering activities.

The technique uses a similar method to JavaScript Port Scanning [4]  
by matching errors from the JavaScript console. Many websites  
requiring login have URL’s that return different HTML content  
depending on if you logged-in or not. For instance, the “Account  
Manager” web page can only be accessed if you’re properly  
authenticated. If these URL’s are dynamically loaded into a <* script  
src=””> tag, they will cause the JS Console to error differently  
because the response is HTML, not JS. The type of error and line  
number can be pattern matched.

Using Gmail as an example, <* script src=” http://mail.google.com/ 

If you are logged-in…

Error: XML tag name mismatch
Source File: http://mail.google.com/mail/
Line: 8, Column: 3

If you are NOT logged-in…

Error: invalid XML attribute value
Source File: http://mail.google.com/mail/
Line: 3, Column: 13

I mapped the error messages from a few popular websites and made some  
PoC code.
Firefox Only! (1.5 – 2.0) tested on OS X and WinXP. I don’t want to  
hear it about IE and Opera. :)

Proof-of-Concept available:

thanks to RSnake for hosting



Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.

[1] http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve- 
[2] http://www.safehistory.com/
[3] http://ha.ckers.org/blog/20061211/exponential-xss-attacks/
[4] http://www.whitehatsec.com/home/resources/presentations/files/ 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061214/5aa5bf55/attachment.html>

More information about the websecurity mailing list