[WEB SECURITY] Cross-Site History Manipulation (XSHM)

Mostafa Siraj mostafa.siraj at gmail.com
Mon Feb 1 04:21:13 EST 2010


Shlomi,

how a website forbid being framed (like you said for Gmail)??

Thanks
Mostafa <http://twitter.com/mostafasiraj>

On Sun, Jan 31, 2010 at 12:15 PM, Shlomi Narkolayev <shlominar at gmail.com>wrote:

> The problem is that many websites forbids to be framed by other domains,
> like Gmail.
>
> I have posted on my blog (http://narkolayev-shlomi.blogspot.com/) how to
> bypass this restriction using security="restricted", but it will works only
> on IE users (Which is the most of browser users).
>
> You can identify if user is logged in to specific website by adding image
> that is displayed only after user is logged, something like:
>
> <img src="*https://www.Bank.com/loggedIn/personal/myPhoto.png<http://%22%22>
> "*; onerror="tryAnotherBank();" onload="MoneyTransfer_ClickJacking();">
>
> Kind Regards,
> Narkolayev Shlomi.
>
>
> Checkmarx Research Labs has identified a new critical vulnerability in
> Internet Explorer (other browsers are probably exposed the same way) that
> would allow hackers to easily compromise web applications. Cross-Site
> History Manipulation (XSHM) is a newly discovered zero-day attack: attackers
> may have been using it for a long time, but the application and security
> communities do not know it.
>
>
>
> To help major browsers or application developers stop the proliferation of
> this exploit, Checkmarx has published a guide to identify and remediate the
> vulnerability. It can be downloaded at
>
> http://www.checkmarx.com/CxDownloadRequest.aspx?id=8
>
>
>
> A  POC for IE and Facebook users can be seen here:
>
> http://www.checkmarx.com/Demo/XSHM.aspx In this page, an attacker can
> easily detect whether a user is currently authenticated to the Facebook
> application. Interested parties will be able to detect XSHM in samples of
> their application by using a free download version of the product.
>
>
>
> Thanks,
>
> Alex Roichman
>
> Chief Architect and head of Research labs, Checkmarx Ltd.
>
> Securitylabs at checkmarx.com
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ----------------------------------------------------------------------------
>
> Join us on IRC: irc.freenode.net #webappsec
>
>
>
> Have a question? Search The Web Security Mailing List Archives:
>
> http://www.webappsec.org/lists/websecurity/archive/
>
>
>
> Subscribe via RSS:
>
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>
> Join WASC on LinkedIn
>
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>


-- 
"Our deepest fear is not that we are inadequate. Our deepest fear is that we
are powerful beyond measure. It is our light, not our darkness, that most
frightens us. We ask ourselves, who am I to be brilliant, gorgeous,
talented, and fabulous?Actually, who are you not to be? You are a child of
God. Your playing small doesn't serve the world. There's nothing enlightened
about shrinking so that other people won't feel insecure around you. We are
all meant to shine, as children do. We are born to make manifest the glory
of God that is within us. It's not just in some of us, it's in everyone. And
as we let our own light shine, we unconsciously give other people permission
to do the same. As we are liberated from our own fear, our presence
automatically liberates others." --Nelson Mandela--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100201/fa44acee/attachment.html>


More information about the websecurity mailing list