Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The Extended HTML Form attack revisited

From: "Sandro Gauci" <publists () enablesecurity com>
Date: Tue, 24 Jun 2008 11:02:13 +0200
Updated the paper with a table of ports that are blocked for each browser:
http://tinyurl.com/5d88ll

The results show that Firefox and Safari block exactly the same ports,
while Opera makes use of its list of ports.
Internet Explorer blocks only 6 ports.

The blog post describes how I did this in detail:
http://enablesecurity.com/2008/06/23/which-ports-do-web-browsers-block/
or http://tinyurl.com/3oltlq

Involves javascript and a packet capture.

On Thu, Jun 19, 2008 at 3:09 AM, kuza55 <kuza55 () gmail com> wrote:

Hi,

Just thought I'd let you know that Wade Alcorn wrote a similar paper
in 2006: http://www.bindshell.net/papers/ipc (Using IMAP3 too), but of
course things have changed since then (namely this attack not working
against Firefox 2 or 3).

Also, there is a complete list of ports that Firefox blocks here:
http://www.mozilla.org/projects/netlib/PortBanning.html (which Wade's
paper references), and the default protocol handlers which can speak
to the blocked ports. Do you know if there's a list of ports published
by Microsoft/Opera/Apple about which ports are blocked in their
browsers? If not, would you be able to publish the ports you found
blocked in an appendix (I'm sure it wouldn't be too much code to whip
up to test it, but if you've already done so then there's no point in
duplicating work)?

I also did some digging myself and found that the reason Firefox
doesn't render the response as HTML is because it searches for the
string "http" (case-insensitive, no quotes) in the first 8 bytes of
the response; if you can satisfy that condition somehow then you can
still get it to happen, but of course that seems pretty unlikely.

IE also tries to search for a string, in this case "http/"
(case-insensitive, no quotes) in the first 1024 bytes, but only so
that it can identify http headers, so if you can inject data into the
first 1024 bytes of the response you can inject headers to do cache
poisoning, etc. (You can probably do header injection against Firefox
if you can trigger this, but the problem is of course triggering it on
FIrefox)

 - kuza55

2008/6/19 Sandro Gauci <publists () enablesecurity com>:

Hi -

Back in 2002 I had published details of a vulnerability affecting most
web browsers. It detailed a security flaw that allows attackers to
abuse non-HTTP protocols to launch Cross Site Scripting attacks even
when a target web application was not vulnerable to XSS.

Six years later I'm releasing an update to this research in this
paper. This security vulnerability still affects popular web browsers
nowadays and the following browsers were tested as vulnerable:

  * Internet Explorer 6
  * Internet Explorer 7
  * Internet Explorer 8 (beta 1)
  * Opera 9.27
  * Opera 9.50
  * Safari 1.32
  * Safari 3.1.1

Others have described how to abuse behavior for purposes other than
Cross Site Scripting. NGSSoftware previously published a paper called
"Inter-Protocol Exploitation" which references the original EyeonSecurity paper.

Paper at:
http://resources.enablesecurity.com/resources/the%20extended%20html%20form%20attack%20revisited.pdf

or http://tinyurl.com/5d88ll

--
Sandro Gauci
EnableSecurity
Web: http://enablesecurity.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/







-- 
Sandro Gauci
Owner and Founder of EnableSecurity
Phone: +356 99463069
Email: sandro () enablesecurity com
Web: http://enablesecurity.com/
PGP: 514D B10C 8C3C 15BB 2EFD 49EC 7CCD 73C5 0295 F23B

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: