[WEB SECURITY] (XSS via file extension) XSS-Phishing on Financial Sites

arian.evans arian.evans at anachronic.com
Tue Jun 27 15:42:01 EDT 2006


> -----Original Message-----
> From: Matt Fisher [mailto:mfisher at spidynamics.com] 

> I was able to actually put a block script into a jpeg right at the
> beginning, and it executed.  Unfortunately, the rest of the jpeg didn't
> render as an image (which was my hope), it merely displayed 
> as hex which was pretty ugly.

What about a redirect to an image with your script? at the end? That
is what I do with DMS that show docs as HTML hyperlink

hyperlink-->js (renamed to something else so it will execute instead
of prompt download dialogue)-->js script runs, redirect to real .doc

> Arian, what I have NOT been able to do is just display the 
> images in an HTML file ie < Img src= script . jpg > and have it work...

Yeah, I have a couple suspicions about what may have happened to lead
me to think I could do this. One of which is lack of intelligence. :)

I had four hours to pen test an app, and I know you're familiar with some
of the strange scenarios one can get, and the results led me to make some
unwarranted assumptions that I clearly need to go back and validate.

(I am thinking now that one of my test scripts wound up somewhere else
on the same pages I was attempting to insert into images, and that I
concluded it was the script in the img src executing; either way, clearly
I need to post working examples with my musings or shutup...)

I am usually pretty rigorous about verification, but every now and then
one has to go and completely miss the boat on something, Heh, I should
do that more in private,

Arian J. Evans
913.378.3571 [mobile]

btw// the address I use for list postings
has been turned into a spam black hole, and
I rarely check it while on the road. If it
is important you reach me for off-list
dialogue, please use my first name at the
same domain. Please do not use or CC that
address while posting to a list however!

The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list