[WEB SECURITY] Attacks via forms and clipboard

MustLive mustlive at websecurity.com.ua
Wed Oct 5 16:50:39 EDT 2011


Hello participants of Mailing List.

While people are waiting for full translation of my articles, which I told
you briefly in my previous post Bypassing of security mechanisms
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-September/008051.html)
 - thanks everyone who requested the translation - meanwhile I will tell you
about other my articles.

I'll tell you briefly about my two articles concerning attacks via forms and
clipboard. Which I wrote in April and in September accordingly. I'm
combining these articles into one post due to some similar aspects. These
topics should be interesting for you (especially for those, who haven't read
them before).

1. Cross-Site Scripting vulnerabilities in forms
http://websecurity.com.ua/5076/

In this article I told about the next. Among interesting vectors of XSS
attacks, on which web developers draw not enough attention, there are
attacks on forms where rich editors are used (or when web developers
visualize data in forms similar to rich editors or use AJAX). Cross-Site
Scripting vulnerabilities in such forms can take place even at presence of
filtration of input and output data.

About such vulnerabilities I wrote many times during last 4 years:
concerning persistent XSS (in Relay and Drupal) and reflected XSS (in Relay,
PHP-Nuke and Drupal). And also many times have met such holes at different
sites. Taking into account widespread of above-mentioned web applications,
such vulnerabilities concern millions of sites.

2. Attacks via clipboard
http://websecurity.com.ua/5404/

In this article I told about the attacks via clipboard. I created conception
of them already many years ago, after I have met with XSS, which requires
pasting from clipboard. And I showed method of conduction such attacks via
JS and Flash.

In above-mentioned article I told about XSS attacks on forms, such as
reflected XSS and persistent XSS. I've found such vulnerabilities at many
sites and in many web applications in 2007-2011. But besides them, strictly
social XSS occur in forms, when it's needed to force a victim to copy
special code into clipboard and pasted it from clipboard for conducting of
the attack - such vulnerabilities I've found already in 2006. Which I wrote
about in article Cross-Language Scripting (http://websecurity.com.ua/4247/).
And using of such method allows to solve first part of the task - copying of
the code into clipboard, and then it'll remain only to force a victim to
paste from clipboard for conducting of the attack.

There is a possibility to add data into clipboard in the browser.
Particularly, it can be done via JavaScript and Flash. Which can be used for
attack. By using function of copying into clipboard it's possible to conduct
different attacks, particularly Cross-Site Scripting and Cross-Application
Scripting (CAS), and also spam, phishing and malware attacks.

In the article I've described the next attacks: XSS, CAS (which leads to DoS
or Code Execution), attacks on download managers which monitor clipboard
(which leads to manual downloading of malware or even Automatic File
Download), clipboard spamming, clipboard phishing and clipboard malwaring.

And I described methods (with showing codes) of conducting such attacks via 
JS (in IE) and Flash (AS1 and AS3), nuances of such attacks (such as
differences in versions of Flash player, starting from 10.0 and working of
attack in browser and locally even in last versions of Flash), possibilities
of bypassing different protections by combining both methods, limits which
Adobe made in Flash 10.0 (after in 2008 there was disclosed links spreading
via Flash via clipboard and flash-banners were found which used such
attacks) and how to bypass such limits (as via JS method, as via Flash
method). Existence of such possibility shows, that fix of Adobe (for work
with clipboard in Flash 10.0+) can be bypassed and such attack is still
possible. And also described possibility of persistent attack via clipboard.

Best wishes & regards,
MustLive
http://soundcloud.com/mustlive





More information about the websecurity mailing list