[WEB SECURITY] (XSS via file extension) XSS-Phishing on Financial Sites
mfisher at spidynamics.com
Tue Jun 27 17:24:50 EDT 2006
>>the strange scenarios one can get, and the results led me to make some
mos def. happens to everyone.
>>What about a redirect to an image with your script? at the end? That
>>is what I do with DMS that show docs as HTML hyperlink
yeah, I thought I put that in there. no ? having crazy mail problems and actually had to switch machines after drafting the first response., but right, just doc.write the full image etc.
the only advantage i see to putting inside an actual image is for curious / conscientious sys admins (the jpeg opened fine in irfanview for me) and bypassing extra clever filters that look for the jpeg headers or actual full jpeg (again, admitting that I don't know anything about how jpeg's work)
Which begs an interesting point though ... , I'm sure the stego crowd has developed some libs for ... I wonder how effective they would be at validating uploads ? Surely they're much better at quickly analyzing misshaped binary formats that the web app world.
RSnake: I hear you about the SE elements, but really; a trusted extension on a trusted site ? Not a very tough SE hack really, unless I'm missing something. Would be sweet if it worked in an image tag though. Must be a way ....
From: arian.evans [mailto:arian.evans at anachronic.com]
Sent: Tue 6/27/2006 3:42 PM
To: 'Web Security'
Subject: RE: [WEB SECURITY] (XSS via file extension) XSS-Phishing on Financial Sites
> -----Original Message-----
> From: Matt Fisher [mailto:mfisher at spidynamics.com]
> I was able to actually put a block script into a jpeg right at the
> beginning, and it executed. Unfortunately, the rest of the jpeg didn't
> render as an image (which was my hope), it merely displayed
> as hex which was pretty ugly.
What about a redirect to an image with your script? at the end? That
is what I do with DMS that show docs as HTML hyperlink
hyperlink-->js (renamed to something else so it will execute instead
of prompt download dialogue)-->js script runs, redirect to real .doc
> Arian, what I have NOT been able to do is just display the
> images in an HTML file ie < Img src= script . jpg > and have it work...
Yeah, I have a couple suspicions about what may have happened to lead
me to think I could do this. One of which is lack of intelligence. :)
I had four hours to pen test an app, and I know you're familiar with some
of the strange scenarios one can get, and the results led me to make some
unwarranted assumptions that I clearly need to go back and validate.
(I am thinking now that one of my test scripts wound up somewhere else
on the same pages I was attempting to insert into images, and that I
concluded it was the script in the img src executing; either way, clearly
I need to post working examples with my musings or shutup...)
I am usually pretty rigorous about verification, but every now and then
one has to go and completely miss the boat on something, Heh, I should
do that more in private,
Arian J. Evans
btw// the address I use for list postings
has been turned into a spam black hole, and
I rarely check it while on the road. If it
is important you reach me for off-list
dialogue, please use my first name at the
same domain. Please do not use or CC that
address while posting to a list however!
The Web Security Mailing List:
The Web Security Mailing List Archives:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity