[WEB SECURITY] (XSS via file extension) XSS-Phishing on Financial Sites

Matt Fisher mfisher at spidynamics.com
Wed Jun 28 10:14:05 EDT 2006

>>JPG on the server that then breaks is a little more obvious - at least to me.
Now I am thinking that I did miss something.  Does the jpeg have to break ? Is there anything that would keep your own embedded script in the fake jpeg from drawing a real jpeg as well ? For instance, load up a fake (script) image to the server, load up a real one, fake (script) image runs an exploit and then draws an image tag with the real one as the source, or an off-site one, etc. 
I played with object and embed tags a bit last night and got no soup.  Of course qualifying that as just casual playing, not seriously concerted research.  


From: RSnake [mailto:rsnake at shocking.com]
Sent: Wed 6/28/2006 12:25 AM
To: Matt Fisher
Cc: Web Security
Subject: RE: [WEB SECURITY] (XSS via file extension) XSS-Phishing on Financial Sites

> RSnake: I hear you about the SE elements, but really; a trusted extension on a trusted site ? Not a very tough SE hack really, unless I'm missing something.  Would be sweet if it worked in an image tag though.  Must be a way ....

Yes, you can fool someone into clicking on a link by saying "hey look at
my cool picture I uploaded", but that's far far less effective for large
scale attacks than automatic script execution.  So yes, it's just an SE
hack, but another variant of the same SE is to get someone to click on a
link to another site "Look at this interesting article I found on the
web that is relating to the topic in question.".

That site can then iframe the .jpg file with your JavaScript in it.
That iframe will keep the same origin policy and therefor run in the
context of the victim domain in question.  Still an SE hack, but it
doesn't look out of the ordinary (and may not look like anything at all
if the iframe is hidden by CSS).  Getting someone to click a link to a
JPG on the server that then breaks is a little more obvious - at least
to me.

So sure, if you use an iframe to frame the image (requiring HTML
injection) that'll work for automatic execution, which is actually one
way I could see that someone might have implemented that for avatars on
some messageboard somewhere (that's how Adsense and YPN pull in their
listings inside the JavaScript tag for instance).  I don't disbelieve
Adrian saw what he thought he saw, but it wasn't inside of an image tag.
Other possibles are object tags, embed tags, etc...  There are lots
other ways to do it.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060628/d336e2c8/attachment.html>

More information about the websecurity mailing list