[WEB SECURITY] HOST header exploitation
bugtraq at cgisecurity.net
bugtraq at cgisecurity.net
Mon Apr 27 13:51:08 EDT 2009
Flash will be restricted by the flash socket policy introduced in later versions of flash player. This requires
the host you wish to connect to to host the socket policy file. Socketpolicies are typically not served up via HTTP
requiring a daemon to bind a TCP socket on the same IP as the other virtualhost you wish to attack.
XHR was a vulnerability that was fixed awhile ago (other unknown holes may exist).
Signed applets will let you do what you want.
<bigpimpin>
I published a paper last month involving host header modification via flash to abuse transparent proxies.
It touches on how flash operates and can be found at http://www.thesecuritypractice.com/the_security_practice/2009/03/socket-capable-browser-plugins-result-in-transparent-proxy-abuse.html .
</bigpimpin>
A sample socket server with instructions can be found at http://www.lightsphere.com/dev/articles/flash_socket_policy.html .
Regards,
- Robert A.
http://www.cgisecurity.com/
http://www.webappsec.org/
>
> Flash & Java will be the best candidates.
> They have socket capability and you can use them to exploit via
> payload like XSRF.
>
>
> On 4/27/09, Matt Hellman <mhellman at taxandfinance.com> wrote:
> > I have an application that is vulnerable to HOST header manipulation.
> > In this case, it's an issue with the authentication framework that
> > eventually appends a session ID to a redirect based on the HOST header.
> > To exploit this weakness, how might an attacker get a victim to submit a
> > request with a crafted HOST header? XHR? Flash? Java?
> >
> > TIA,
> > Matt
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
> > ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> > Join WASC on LinkedIn
> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> >
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list