[WEB SECURITY] The Extended HTML Form attack revisited

Sandro Gauci sandro at enablesecurity.com
Thu Jun 19 04:28:04 EDT 2008


If you zoom into the screenshot you'll notice that the IMAP server is
a public one owned by "the world's most visited home page" ;-)

Agreed - it does rely on a server which echoes back user supplied
data. However this is not limited to IMAP or IMAPS servers. In the
original paper I had listed a few products which one could make use of
to launch this attack. This included FTP, POP3 and SMTP servers that
back then, would also exhibit this behavior. The bouncing server
(which was an IMAPS server in the example) need only have a forward
DNS name which points to the victim's address (eg.
someserver.domain.com).

Having a list of "vulnerable" versions of software is outside the
scope of the paper and diverges attention from the real issue.

As long as these servers follow the protocol, I do not see their
behavior as a vulnerability. My suggestion is that the web browsers
should be made more restrictive so that they can identify between a
response sent from an HTTP server and one sent from any other server.

--
Sandro Gauci
EnableSecurity
Web: http://enablesecurity.com/

On Thu, Jun 19, 2008 at 6:18 AM, Michael S. Menefee
<mmenefee at securesolve.com> wrote:
> Sandro,
>
> I'm curious which specific IMAP server was used in your example. MS
> Exchange b*itches about <CR><LF> using this same example and does not
> echo any of the submitted content. I've also tried this on Imail IMAP
> with similar results.
>
> I love the concept and agree this could work in certain circumstances,
> but it is not universally exploitable...there are specific servers and
> protocols that will actually do this, but I would like to know which you
> have tested with, so maybe we can build a list of vulnerable versions of
> software that could be exploited in this fashion.
>
>
> --
> Michael S. Menefee, CISSP (#43728)
> Principal Consultant
> Secure Solve, Inc.
> Phone: (919) 439-3598
> Fax: (919) 287-2570
> mmenefee at securesolve.com
> www.securesolve.com
>
> -----Original Message-----
> From: Sandro Gauci [mailto:publists at enablesecurity.com]
> Sent: Wednesday, June 18, 2008 12:28 PM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] The Extended HTML Form attack revisited
>
> Hi -
>
> Back in 2002 I had published details of a vulnerability affecting most
> web browsers. It detailed a security flaw that allows attackers to abuse
> non-HTTP protocols to launch Cross Site Scripting attacks even when a
> target web application was not vulnerable to XSS.
>
> Six years later I'm releasing an update to this research in this paper.
> This security vulnerability still affects popular web browsers nowadays
> and the following browsers were tested as vulnerable:
>
>  * Internet Explorer 6
>  * Internet Explorer 7
>  * Internet Explorer 8 (beta 1)
>  * Opera 9.27
>  * Opera 9.50
>  * Safari 1.32
>  * Safari 3.1.1
>
> Others have described how to abuse behavior for purposes other than
> Cross Site Scripting. NGSSoftware previously published a paper called
> "Inter-Protocol Exploitation" which references the original
> EyeonSecurity paper.
>
> Paper at:
> http://resources.enablesecurity.com/resources/the%20extended%20html%20fo
> rm%20attack%20revisited.pdf
>
> or http://tinyurl.com/5d88ll
>
> --
> Sandro Gauci
> EnableSecurity
> Web: http://enablesecurity.com/
>
> ------------------------------------------------------------------------
> ----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list