Monday, August 27, 2007
Blog.hr update
Monday, July 16, 2007
Hacking blog.hr
Here is the explanation.
While editing a blog, user can access HTML code of the template. JavaScript code is not filtered in any way. We insert the following code inside the HEAD html section:
This is a regular XSS+CSRF attack, where the browser, instead of trying to get an image, sends the cookie data of the guest user. If the user is logged on, the cookies are sent to the attacker server via GET parameter.
Csrf.php script is a modified HTTP client class (http://www.phpclasses.org/browse/package/576.html). The script creates HTTP post request to change BOX-4 section of the victims blog (www.blog.hr/edit/?page=blogeditor&menu=2,3) while inserting recieved cookie data into the request header and setting the valid referer field. When the request is recieved on blog.hr, it seems like it is valid.
BOX-4 can also be used for defacement, with a code like:
Also, JavaScript can be inserted inside BOX-4 section, so the code could propagate pretty fast.
Here is the video:
Here are the files:
PHP class
PHP script
JS code for XSS
Monday, July 9, 2007
Diploma thesis - Security of AJAX Web applications
Abstract
This diploma thesis describes security problems in Web applications based on AJAX technology. It describes basic AJAX mechanisms, most common Web application vulnerabilities and specific problems that refer to AJAX applications, as well as the way of resolving them. Most of descriptions are followed by real life examples for easier understanding. Also, examples show the newest trends in vulnerability exploitation on the communication between client and server, as well as on the client itself. The practical part of the paper describes the created AJAX application used for manipulating the IKE configuration files and the security problems specific to that application.
Wednesday, April 11, 2007
Ajax specific vulnerabilities?
The OWASP Top 10 (link) vulnerabilities are just too much non AJAX specific and Top 10 Ajax Security Holes and Driving Factors (link) don't seem too deep.
Also, client attacks that are very interesting, like XSS proxy (link) and JS port scanning (link) are not really using much AJAX.
I guess I'll have to find out something myself :)
Friday, April 6, 2007
Javascript security for newbies
On Feb 6, 4:37 pm, "Lucas Kruijswijk"
wrote:
> I have a security question. Instead of heaving a session key,
> I was thinking to hold the password of some application in
> a Javascript variable.
> Each time a http (or https) request is send from Javascript,
> I also send the password. The server checks the password
> and sends back the result.
anything you write in JavaScript can be view with a simple click on
view source. JavaScript is for manipulating DOM creating dynamic
pages. Security is something always best kept to a computer you know
(eg. the server) rather than the user's computer you know nothing
about.
> In this way, no need for session.
> Is there a security problem with this kind of programming?
> The only thing I could think of, is that in Firefox and firebug
> someone could access the variable to get the password. But
> that is a risk I take.
> I am more concerned that some evil website could steal the
> password by some other Javascript. But I could not find
> a way, so, I assume this is rather safe.
> Or, does someone disagree?
> Regards,
The full posting is on
link