[WEB SECURITY] (XSS via file extension) XSS-Phishing on Financial Sites

RSnake rsnake at shocking.com
Wed Jun 28 00:25:33 EDT 2006


> RSnake: I hear you about the SE elements, but really; a trusted extension on a trusted site ? Not a very tough SE hack really, unless I'm missing something.  Would be sweet if it worked in an image tag though.  Must be a way ....

Yes, you can fool someone into clicking on a link by saying "hey look at
my cool picture I uploaded", but that's far far less effective for large
scale attacks than automatic script execution.  So yes, it's just an SE
hack, but another variant of the same SE is to get someone to click on a
link to another site "Look at this interesting article I found on the
web that is relating to the topic in question.".

That site can then iframe the .jpg file with your JavaScript in it.
That iframe will keep the same origin policy and therefor run in the
context of the victim domain in question.  Still an SE hack, but it
doesn't look out of the ordinary (and may not look like anything at all
if the iframe is hidden by CSS).  Getting someone to click a link to a
JPG on the server that then breaks is a little more obvious - at least
to me.

So sure, if you use an iframe to frame the image (requiring HTML
injection) that'll work for automatic execution, which is actually one
way I could see that someone might have implemented that for avatars on
some messageboard somewhere (that's how Adsense and YPN pull in their
listings inside the JavaScript tag for instance).  I don't disbelieve
Adrian saw what he thought he saw, but it wasn't inside of an image tag.
Other possibles are object tags, embed tags, etc...  There are lots
other ways to do it.

-RSnake
http://ha.ckers.org/
http://ha.ckers.org/xss.html
http://ha.ckers.org/blog/feed/

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list