websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Interesting method of conducting XSS attacks in Firefox and Attacks on web sites via mod-itk

M
MustLive
Fri, Sep 21, 2012 7:00 PM

Hello participants of Mailing List.

In May 2011 and in September 2012, I've wrote two articles. Request full
translation of any of them if needed.

I'll tell you briefly about my articles concerning interesting method of
conducting XSS attacks in Firefox and attacks on web sites via mod-itk.
These topics should be interesting for you (especially for those, who
haven't read them before).

  1. Interesting method of conducting XSS attacks in Firefox.
    http://websecurity.com.ua/5158/

In this article I've told about one method of conducting XSS attacks in
Firefox. It's based on a feature of Gecko-based browsers, about which I know
since 2006 and use for XSS attacks, but in 2011 I've enhanced this attack
during security audit of web site of my client. This technique can be used
for bypassing protections against XSS - built-in at web sites or WAFs.

This browser feature was removed in Firefox 4. The attack works in Firefox
3.0.19, 3.5.19, 3.6.28 and previous versions.

  1. Attacks on web sites via mod-itk.
    http://websecurity.com.ua/6043/

In this article I've told about attacks on web sites via mod-itk module for
Apache. The mod_itk (mpm-itk) is a security module, but with not secure
enough configuration it can bring serious security issue to web server (such
as PHP code execution), even on web sites which are secure at web server
without this module. In June I've informed about it the developer of this
module and the developers of Apache. I've tested this attack on WordPress,
but any web applications with file editing functionality can be used for it.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Hello participants of Mailing List. In May 2011 and in September 2012, I've wrote two articles. Request full translation of any of them if needed. I'll tell you briefly about my articles concerning interesting method of conducting XSS attacks in Firefox and attacks on web sites via mod-itk. These topics should be interesting for you (especially for those, who haven't read them before). 1. Interesting method of conducting XSS attacks in Firefox. http://websecurity.com.ua/5158/ In this article I've told about one method of conducting XSS attacks in Firefox. It's based on a feature of Gecko-based browsers, about which I know since 2006 and use for XSS attacks, but in 2011 I've enhanced this attack during security audit of web site of my client. This technique can be used for bypassing protections against XSS - built-in at web sites or WAFs. This browser feature was removed in Firefox 4. The attack works in Firefox 3.0.19, 3.5.19, 3.6.28 and previous versions. 2. Attacks on web sites via mod-itk. http://websecurity.com.ua/6043/ In this article I've told about attacks on web sites via mod-itk module for Apache. The mod_itk (mpm-itk) is a security module, but with not secure enough configuration it can bring serious security issue to web server (such as PHP code execution), even on web sites which are secure at web server without this module. In June I've informed about it the developer of this module and the developers of Apache. I've tested this attack on WordPress, but any web applications with file editing functionality can be used for it. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua