[WEB SECURITY] Cross-Site Scripting attacks via redirectors

7Lyrix 7lyrix at gmail.com
Wed Aug 19 15:54:04 EDT 2009


Arshan

I don't also like being negative.  Have you ever tested MustLive's provided
PoC?
Check his PoCs against the BSH's list -
http://code.google.com/p/browsersec/wiki/Part2#Redirection_restrictions
See the output. Actions are better than words.



On Wed, Aug 19, 2009 at 8:41 AM, Arshan Dabirsiaghi <
arshan.dabirsiaghi at aspectsecurity.com> wrote:

>  MustLive,
>
> I don't like being negative but I don't know if I've ever seen work that
> useful dismissed so arrogantly. Aside from all the technical things you got
> wrong, it's probably not smart to take shots at legends like lcamtuf in case
> you ever want to work for someone born before 1987.
>
> First of all, what you're talking about is not "XSS" or "holes in the
> browser." You're talking about certain browser behavior that is subject to
> risk assessment; your findings can't objectively or even accurately be
> called those things. If you wanted to call your work "browser behavior in
> niche cases in header injection", you'd be using terminology that's
> reasonable, and won't make the folks at MITRE puke up their pad thai and
> then kill themselves.
>
> Second, you appear to be plainly wrong about the fact that the handbook
> doesn't cover redirects to JavaScript URIs in Location headers. That's
> covered here in row 2:
>
> http://code.google.com/p/browsersec/wiki/Part2#Redirection_restrictions
>
> Next, you say that his test cases are wrong. This could be true for all I
> know, since I'm not going to verify them unless I have to in order to assess
> the risk of a finding. Hell, I wouldn't feel safe loading IE6 inside 4
> nested VMs, so I'm happy to take his word for it.
>
> Anyway, if you did find an inaccuracy, the right thing to do would be to
> email someone at Google and have them add your information to their body of
> work. This is more useful to everyone than repeatedly congratulating
> yourself while at the same time loudly admonishing the free work they gave
> to the community.
>
> Lastly, and this is just pure speculation (and maybe hope), but I would
> guess that factual errors in the BSH are probably rare, since (I assume) the
> data is generated by automated test cases; think Acid3 meets DOMChecker
> meets crontab. My chief complaint is the lack of regular testing, though,
> since there doesn't appear to be any set schedule for updates:
>
> http://code.google.com/p/browsersec/wiki/Main#Introduction
>
> Can't we virtualize+cloudize this process and get down to up-to-date,
> revision-level granularity? =)
>
> Arshan
>
>  ------------------------------
>  *From:* MustLive [mailto:mustlive at websecurity.com.ua]
> *Sent:* Tue 8/18/2009 4:56 PM
> *To:* Arshan Dabirsiaghi
> *Cc:* websecurity at webappsec.org
> *Subject:* Re: [WEB SECURITY] Cross-Site Scripting attacks via redirectors
> Hello Arshan!
>
> Thanks for your reminding about Google's Browser Security Handbook. I know
> about it and after release of this handbook in December 2008, I wrote about
> my opinion about it
> (http://www.webappsec.org/lists/websecurity/archive/2008-12/msg00058.html
> ).
> It was better for you (and also for Google, if they didn't yet) first read
> my post in the list, before referencing to this book.
>
> The key phrase of that my post is the next: first fix your holes, than
> write
> your book. And while that will not be done, this lame book (in context of
> security) by lame Google (in context of security) will stay forever lame
> book (again in context of security, Google can be nice in other contexts,
> but we're talking about security).
>
> > this information is already well-documented in Google's Browser Security
> > Handbook
>
> First, not so well. My article covers much more on this subject, than this
> part of Google's book.
>
> In my article I covered 4 cases of conduction of XSS attacks via
> redirectors. And the 4th case - redirecting to javascript: URI via
> location-header redirectors - is not covered in Google's handbook (there
> was
> said that it's not permitted in all browsers). There is no information
> about
> this attack in Google's handbook and anywhere else, because I found this
> case first and first wrote about it (so it's new case).
>
> In handbook there was mentioned that Refresh redirection to javascript: URI
> is not permitted in IE6, but as I wrote in my article and corresponding
> advisory at my site, IE6 is vulnerable. Also in handbook there was
> mentioned
> the same about FF3. But as I wrote in my article and corresponding advisory
> at my site, that Firefox <= 3.0.8 is vulnerable (only all FF 3.5.x versions
> are not vulnerable). So in all these cases Google's handbook has incorrect
> information.
>
> And taking into account all these incorrectnesses in this handbook you
> called it "well-documented"? It's very far from well-documented state. And
> Michal and Google need to work hard on it.
>
> Besides not all browsers which I checked were checked and mentioned in
> Google's handbook (only most popular ones + Google's products Chrome and
> Android). But this amount of browsers is enough. Though in my article there
> is additional information about affected browsers (and also about different
> version of FF3, which is not covered at all in this handbook).
>
> Second, in this handbook is mentioned, that Chrome permits Refresh
> redirection to javascript: URI (i.e. it's vulnerable). So Google knows that
> there is such hole in their browser, but didn't fix it not last year, nor
> this year. Which is not serious. And it was quite not serious from Michal
> to
> answered me in Bugtraq, when I wrote there about this hole in Chrome (and
> other browsers), after I also wrote to Google, but they just ignored my
> letter, that this already documented in Google's handbook. Such answer
> looks
> like they are proud of this hole in their browser and don't want to fix it,
> just referencing to their handbook.
>
> Third, there is another hole in Google Chrome, which I wrote about at my
> site in June (http://websecurity.com.ua/3243/), which I found in September
> 2008 in Chrome 0.2.149.30, and Chrome 1.0.154.48 is still vulnerable (as
> must all other Chrome 1.x and 2.x versions). And as I know after I looked
> through Google Handbook in December, this hole was mentioned as "known
> hole"
> in this handbook. And in the same time all versions of Google Chrome are
> vulnerable to it.
>
> > If I were you
>
> You are not me, so we are different people and have different approaches.
> And we read different books ;-). I recommend for you and for everyone to
> read only quality books, and taking into account all above-mentioned about
> this handbook, it's not so quality one.
>
> And you better recommend to read this book to Google itself. Because, as I
> mentioned above, there are at least two holes which I found in Chrome,
> which
> is documented in this book. Google's browser developers better to read
> their
> own book, to know all well-known holes and to fix them. And not to write
> about holes instead of fixing them :-).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message -----
> From: "Arshan Dabirsiaghi" <arshan.dabirsiaghi at aspectsecurity.com>
> To: "MustLive" <mustlive at websecurity.com.ua>; <websecurity at webappsec.org>
> Sent: Wednesday, August 05, 2009 12:33 AM
> Subject: RE: [WEB SECURITY] Cross-Site Scripting attacks via redirectors
>
>
> > While we all greatly appreciate your intent you should know that this
> > information is already well-documented in Google's Browser Security
> > Handbook:
> >
> > http://code.google.com/p/browsersec/wiki/Part2#Redirection_restrictions
> > <http://code.google.com/p/browsersec/wiki/Part2#Redirection_restrictions
> >
> >
> > If I were you I would become very familiar with that body of work before
> > further research into similar areas.
> >
> > Cheers,
> > Arshan
> >
> > ________________________________
> >
> > From: MustLive [mailto:mustlive at websecurity.com.ua<mustlive at websecurity.com.ua>
> ]
> > Sent: Tue 8/4/2009 4:31 PM
> > To: websecurity at webappsec.org
> > Subject: [WEB SECURITY] Cross-Site Scripting attacks via redirectors
> >
> >
> >
> > Hello participants of Mailing List.
> >
> > At the end of July I published my article Cross-Site Scripting attacks
> via
> > redirectors (http://websecurity.com.ua/3376/). And today I published
> > English
> > version of my article (http://websecurity.com.ua/3386/).
> >
> > In this article I wrote about using of redirectors in different browsers
> > for
> > conducting of Cross-Site Scripting attacks.
> >
> > In the article I wrote about XSS attacks in location-header and
> > refresh-header redirectors in different browsers: Mozilla 1.7.x, Mozilla
> > Firefox, Internet Explorer (IE6), Opera and Google Chrome. I'm also
> > waiting
> > for information from one man, who are checking all mentioned in article
> > vulnerabilities in other browsers, so when there will be new information
> > (about other affected browsers), I'll add it to my article.
> >
> > You can read the article Cross-Site Scripting attacks via redirectors at
> > my
> > site: http://websecurity.com.ua/3386/
> >
> > Best wishes & regards,
> > MustLive
> > Administrator of Websecurity web site
> > http://websecurity.com.ua <http://websecurity.com.ua/>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090820/d1c28ff2/attachment.html>


More information about the websecurity mailing list