[WEB SECURITY] (XSS via file extension) XSS-Phishing on Financial Sites

Matt Fisher mfisher at spidynamics.com
Tue Jun 27 17:24:50 EDT 2006


>>the strange scenarios one can get, and the results led me to make some
mos def.  happens to everyone.  
 
>>What about a redirect to an image with your script? at the end? That
>>is what I do with DMS that show docs as HTML hyperlink
 
yeah, I thought I put that in there. no ? having crazy mail problems and actually had to switch machines after drafting the first response., but right, just doc.write the full image etc.  
 
the only advantage i see to putting inside an actual image is for curious / conscientious sys admins (the jpeg opened fine in irfanview for me) and bypassing extra clever filters that look for the jpeg headers or actual full jpeg (again, admitting that I don't know anything about how jpeg's work) 
 
Which begs an interesting point though ... , I'm sure the stego crowd has developed some libs for ... I wonder how effective they would be at validating uploads ? Surely they're much better at quickly analyzing misshaped binary formats that the web app world.
 
 
RSnake: I hear you about the SE elements, but really; a trusted extension on a trusted site ? Not a very tough SE hack really, unless I'm missing something.  Would be sweet if it worked in an image tag though.  Must be a way .... 
 
 
 
 
 
 

________________________________

From: arian.evans [mailto:arian.evans at anachronic.com]
Sent: Tue 6/27/2006 3:42 PM
To: 'Web Security'
Subject: RE: [WEB SECURITY] (XSS via file extension) XSS-Phishing on Financial Sites





> -----Original Message-----
> From: Matt Fisher [mailto:mfisher at spidynamics.com]

> I was able to actually put a block script into a jpeg right at the
> beginning, and it executed.  Unfortunately, the rest of the jpeg didn't
> render as an image (which was my hope), it merely displayed
> as hex which was pretty ugly.

What about a redirect to an image with your script? at the end? That
is what I do with DMS that show docs as HTML hyperlink

hyperlink-->js (renamed to something else so it will execute instead
of prompt download dialogue)-->js script runs, redirect to real .doc

etc.

> Arian, what I have NOT been able to do is just display the
> images in an HTML file ie < Img src= script . jpg > and have it work...

Yeah, I have a couple suspicions about what may have happened to lead
me to think I could do this. One of which is lack of intelligence. :)

I had four hours to pen test an app, and I know you're familiar with some
of the strange scenarios one can get, and the results led me to make some
unwarranted assumptions that I clearly need to go back and validate.

(I am thinking now that one of my test scripts wound up somewhere else
on the same pages I was attempting to insert into images, and that I
concluded it was the script in the img src executing; either way, clearly
I need to post working examples with my musings or shutup...)

I am usually pretty rigorous about verification, but every now and then
one has to go and completely miss the boat on something, Heh, I should
do that more in private,


Arian J. Evans
913.378.3571 [mobile]

btw// the address I use for list postings
has been turned into a spam black hole, and
I rarely check it while on the road. If it
is important you reach me for off-list
dialogue, please use my first name at the
same domain. Please do not use or CC that
address while posting to a list however!






----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060627/88c6eab3/attachment.html>


More information about the websecurity mailing list