[WEB SECURITY] Cross-Site History Manipulation (XSHM)

Peter Lowe peter at sign-up.to
Mon Feb 1 11:26:34 EST 2010


One way is by using JS - eg, with something like this:

	if (window != top) top.location.href = location.href;

cheers,

 - Peter

Mostafa Siraj wrote, On 01/02/2010 09:21:
> Shlomi,
> 
> how a website forbid being framed (like you said for Gmail)??
> 
> Thanks
> Mostafa <http://twitter.com/mostafasiraj>
> 
> On Sun, Jan 31, 2010 at 12:15 PM, Shlomi Narkolayev <shlominar at gmail.com>wrote:
> 
>> The problem is that many websites forbids to be framed by other domains,
>> like Gmail.
>>
>> I have posted on my blog (http://narkolayev-shlomi.blogspot.com/) how to
>> bypass this restriction using security="restricted", but it will works only
>> on IE users (Which is the most of browser users).
>>
>> You can identify if user is logged in to specific website by adding image
>> that is displayed only after user is logged, something like:
>>
>> <img src="*https://www.Bank.com/loggedIn/personal/myPhoto.png<http://%22%22>
>> "*; onerror="tryAnotherBank();" onload="MoneyTransfer_ClickJacking();">
>>
>> Kind Regards,
>> Narkolayev Shlomi.
>>
>>
>> Checkmarx Research Labs has identified a new critical vulnerability in
>> Internet Explorer (other browsers are probably exposed the same way) that
>> would allow hackers to easily compromise web applications. Cross-Site
>> History Manipulation (XSHM) is a newly discovered zero-day attack: attackers
>> may have been using it for a long time, but the application and security
>> communities do not know it.
>>
>>
>>
>> To help major browsers or application developers stop the proliferation of
>> this exploit, Checkmarx has published a guide to identify and remediate the
>> vulnerability. It can be downloaded at
>>
>> http://www.checkmarx.com/CxDownloadRequest.aspx?id=8
>>
>>
>>
>> A  POC for IE and Facebook users can be seen here:
>>
>> http://www.checkmarx.com/Demo/XSHM.aspx In this page, an attacker can
>> easily detect whether a user is currently authenticated to the Facebook
>> application. Interested parties will be able to detect XSHM in samples of
>> their application by using a free download version of the product.
>>
>>
>>
>> Thanks,
>>
>> Alex Roichman
>>
>> Chief Architect and head of Research labs, Checkmarx Ltd.
>>
>> Securitylabs at checkmarx.com
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ----------------------------------------------------------------------------
>>
>> Join us on IRC: irc.freenode.net #webappsec
>>
>>
>>
>> Have a question? Search The Web Security Mailing List Archives:
>>
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>>
>>
>> Subscribe via RSS:
>>
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>>
>>
>> Join WASC on LinkedIn
>>
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
> 
> 


-- 
Sign-Up.to - Right Person. Right Place. Right Time.
www.sign-up.to | blog.sign-up.to | twitter.com/signupto | facebook.sign-up.to

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list