[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] The Extended HTML Form attack revisited



Updated the paper with a table of ports that are blocked for each browser:
http://tinyurl.com/5d88ll

The results show that Firefox and Safari block exactly the same ports,
while Opera makes use of its list of ports.
Internet Explorer blocks only 6 ports.

The blog post describes how I did this in detail:
http://enablesecurity.com/2008/06/23/which-ports-do-web-browsers-block/
or http://tinyurl.com/3oltlq

Involves javascript and a packet capture.

On Thu, Jun 19, 2008 at 3:09 AM, kuza55 <kuza55@xxxxxxxxx> wrote:
> Hi,
>
> Just thought I'd let you know that Wade Alcorn wrote a similar paper
> in 2006: http://www.bindshell.net/papers/ipc (Using IMAP3 too), but of
> course things have changed since then (namely this attack not working
> against Firefox 2 or 3).
>
> Also, there is a complete list of ports that Firefox blocks here:
> http://www.mozilla.org/projects/netlib/PortBanning.html (which Wade's
> paper references), and the default protocol handlers which can speak
> to the blocked ports. Do you know if there's a list of ports published
> by Microsoft/Opera/Apple about which ports are blocked in their
> browsers? If not, would you be able to publish the ports you found
> blocked in an appendix (I'm sure it wouldn't be too much code to whip
> up to test it, but if you've already done so then there's no point in
> duplicating work)?
>
> I also did some digging myself and found that the reason Firefox
> doesn't render the response as HTML is because it searches for the
> string "http" (case-insensitive, no quotes) in the first 8 bytes of
> the response; if you can satisfy that condition somehow then you can
> still get it to happen, but of course that seems pretty unlikely.
>
> IE also tries to search for a string, in this case "http/"
> (case-insensitive, no quotes) in the first 1024 bytes, but only so
> that it can identify http headers, so if you can inject data into the
> first 1024 bytes of the response you can inject headers to do cache
> poisoning, etc. (You can probably do header injection against Firefox
> if you can trigger this, but the problem is of course triggering it on
> FIrefox)
>
>  - kuza55
>
> 2008/6/19 Sandro Gauci <publists@xxxxxxxxxxxxxxxxxx>:
>> Hi -
>>
>> Back in 2002 I had published details of a vulnerability affecting most
>> web browsers. It detailed a security flaw that allows attackers to
>> abuse non-HTTP protocols to launch Cross Site Scripting attacks even
>> when a target web application was not vulnerable to XSS.
>>
>> Six years later I'm releasing an update to this research in this
>> paper. This security vulnerability still affects popular web browsers
>> nowadays and the following browsers were tested as vulnerable:
>>
>>   * Internet Explorer 6
>>   * Internet Explorer 7
>>   * Internet Explorer 8 (beta 1)
>>   * Opera 9.27
>>   * Opera 9.50
>>   * Safari 1.32
>>   * Safari 3.1.1
>>
>> Others have described how to abuse behavior for purposes other than
>> Cross Site Scripting. NGSSoftware previously published a paper called
>> "Inter-Protocol Exploitation" which references the original EyeonSecurity 
>> paper.
>>
>> Paper at:
>> http://resources.enablesecurity.com/resources/the%20extended%20html%20form%20attack%20revisited.pdf
>>
>> or http://tinyurl.com/5d88ll
>>
>> --
>> Sandro Gauci
>> EnableSecurity
>> Web: http://enablesecurity.com/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>



-- 
Sandro Gauci
Owner and Founder of EnableSecurity
Phone: +356 99463069
Email: sandro@xxxxxxxxxxxxxxxxxx
Web: http://enablesecurity.com/
PGP: 514D B10C 8C3C 15BB 2EFD 49EC 7CCD 73C5 0295 F23B

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/