[WEB SECURITY] Cross-Site History Manipulation (XSHM)

Shlomi Narkolayev shlominar at gmail.com
Mon Feb 1 04:48:57 EST 2010


There are some methods for doing this:
1) Checking the X-Frame-Option header (IE8 supports that, FF 3.5 will) - The
problem is that many users still use other headers.
2) Using Frame Busting code like:
<script type="text/javascript">
 if (top !== self) top.location.replace(self.location.href);
</script>

You can also check my blog post - I wrote about how it can possible to
bypass Frame Busting code:
http://narkolayev-shlomi.blogspot.com/2010/01/defeating-frame-busting-scripts-one-of.html

Kind Regards,
Narkolayev Shlomi.

This E-mail and any of its attachments may contain proprietary information,
which is privileged, confidential, or subject to copyright. This E-mail is
intended solely for the use of the individual or entity to which it is
addressed. If you are not the intended recipient of this E-mail, you are
hereby notified that any dissemination, distribution, copying, or action
taken in relation to the contents of and attachments to this E-mail is
strictly prohibited and may be unlawful. If you have received this E-mail in
error, please notify the sender immediately and permanently delete the
original and any copy of this E-mail and any printout.
Stephen Leacock<http://www.brainyquote.com/quotes/authors/s/stephen_leacock.html>
- "I detest life-insurance agents: they always argue that I shall some
day
die, which is not so."

On Mon, Feb 1, 2010 at 11:21 AM, Mostafa Siraj <mostafa.siraj at gmail.com>wrote:

> Shlomi,
>
> how a website forbid being framed (like you said for Gmail)??
>
> Thanks
> Mostafa <http://twitter.com/mostafasiraj>
>
>
> On Sun, Jan 31, 2010 at 12:15 PM, Shlomi Narkolayev <shlominar at gmail.com>wrote:
>
>> The problem is that many websites forbids to be framed by other domains,
>> like Gmail.
>>
>> I have posted on my blog (http://narkolayev-shlomi.blogspot.com/) how to
>> bypass this restriction using security="restricted", but it will works only
>> on IE users (Which is the most of browser users).
>>
>> You can identify if user is logged in to specific website by adding image
>> that is displayed only after user is logged, something like:
>>
>> <img src="*https://www.Bank.com/loggedIn/personal/myPhoto.png<http://%22%22>
>> "*; onerror="tryAnotherBank();" onload="MoneyTransfer_ClickJacking();">
>>
>> Kind Regards,
>> Narkolayev Shlomi.
>>
>>
>> Checkmarx Research Labs has identified a new critical vulnerability in
>> Internet Explorer (other browsers are probably exposed the same way) that
>> would allow hackers to easily compromise web applications. Cross-Site
>> History Manipulation (XSHM) is a newly discovered zero-day attack: attackers
>> may have been using it for a long time, but the application and security
>> communities do not know it.
>>
>>
>>
>> To help major browsers or application developers stop the proliferation of
>> this exploit, Checkmarx has published a guide to identify and remediate the
>> vulnerability. It can be downloaded at
>>
>> http://www.checkmarx.com/CxDownloadRequest.aspx?id=8
>>
>>
>>
>> A  POC for IE and Facebook users can be seen here:
>>
>> http://www.checkmarx.com/Demo/XSHM.aspx In this page, an attacker can
>> easily detect whether a user is currently authenticated to the Facebook
>> application. Interested parties will be able to detect XSHM in samples of
>> their application by using a free download version of the product.
>>
>>
>>
>> Thanks,
>>
>> Alex Roichman
>>
>> Chief Architect and head of Research labs, Checkmarx Ltd.
>>
>> Securitylabs at checkmarx.com
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ----------------------------------------------------------------------------
>>
>> Join us on IRC: irc.freenode.net #webappsec
>>
>>
>>
>> Have a question? Search The Web Security Mailing List Archives:
>>
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>>
>>
>> Subscribe via RSS:
>>
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>>
>>
>> Join WASC on LinkedIn
>>
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
>
>
> --
> "Our deepest fear is not that we are inadequate. Our deepest fear is that
> we are powerful beyond measure. It is our light, not our darkness, that most
> frightens us. We ask ourselves, who am I to be brilliant, gorgeous,
> talented, and fabulous?Actually, who are you not to be? You are a child of
> God. Your playing small doesn't serve the world. There's nothing enlightened
> about shrinking so that other people won't feel insecure around you. We are
> all meant to shine, as children do. We are born to make manifest the glory
> of God that is within us. It's not just in some of us, it's in everyone. And
> as we let our own light shine, we unconsciously give other people permission
> to do the same. As we are liberated from our own fear, our presence
> automatically liberates others." --Nelson Mandela--
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100201/cebd8d52/attachment.html>


More information about the websecurity mailing list