Also, Billy Hoffman has done a lot of fun work in this space, see http://www.gnucitizen.org/blog/javascript-remoting-dangers/
2010/4/22 Dan Kaminsky <[email protected]>: > Interesting use, using filesize to back into the actual CAPTCHA used for a > given query. Sneaky! > > So it's possible to read not only filesize, but image dimensions > cross-domain. I actually found a use for this -- it's a good way to > exchange a small amount of data between sites that mutually distrust one > another. The reason for this is that images are pretty much the only > resources that can be loaded cross-domain that won't have embedded script > executed by a browser. > > (Side note: At this point, you're probably thinking: Vladimir just said > that some browsers allow SVG to load via <img> -- and SVG can embed script > with nothing but a script tag and a smile! Doesn't this mean a bunch of > sites are in trouble? > > Turns out, no, not as far as I can tell anyway. IE and Firefox both block > <img> to SVG entirely, while Chrome, Safari, and Opera allow it. But there > appears to be a script firewall (or more accurately, a missing connection) > between <img>-loaded SVG and the script engine. Static SVG renders just > fine, but don't expect it to do anything unless you top-level nav, inline, > or use something like embed.) > > Back to image dimensions, it turns out that this information channel cannot > be closed; even if the dimensions of the object itself couldn't be queried, > the XY positioning of the objects *around* the imported images must be both > queryable and dependent on image properties. > > I was curious however if img.fileSize would leak filesizes of non-image > content. Doesn't look like it does -- undefined in everything but IE, -1 in > IE. > > > 2010/4/22 T Biehn <[email protected]> >> >> It could be used as a technique for defeating the login images used as >> "two-factor-authentication" by some online services. >> The application of using filesize to fingerprint an image is somewhat >> novel. This is a decidedly 'old' vector, though. >> >> -Travis >> >> 2010/4/21 Владимир Воронцов <[email protected]> >>> >>> Hello Full disclosure! >>> >>> Once again, unwinding theme HiJacking found a fun way to get the very >>> least information about the target resource when the user is located at >>> the >>> attacker. >>> >>> Already crocked <img> tag opens new opportunities using the method >>> fileSize, described here: >>> http://msdn.microsoft.com/en-us/library/ms533752 >>> (v = VS.85). Aspx >>> >>> Consider a simple example - a Web application after authentication >>> provides some sort of picture for the user, for example: >>> >>> http://example.com/getImage.php?image=myAvatar >>> >>> The attacker, knowing this can create a page to read: >>> >>> <img id="onsec" src="http://example.com/getImage.php?image=myAvatar";> >>> >>> <input type="button" onclick="if (onsec.fileSize> 0) (alert ('authorized >>> on example.com') else (alert ('not authorized on example.com')}"> >>> >>> Thus, the attacker learns the simplest case, whether the target user >>> access to example.com. >>> >>> Continuing the theme, I want to note that in some cases, can obtain >>> additional information from the very values of the size of the picture. >>> It >>> can be any logical information Web applications, say, the same script can >>> show administrators a picture of the same size, and users - of another. >>> Thus, we obtain the user rights. And so on. >>> >>> I'd like to return the size of the method is not only "valid" images, but >>> also HTML pages, JSON, etc. But, unfortunately, does not work. Maybe, of >>> course, there are exceptions, call to investigate the matter. >>> >>> I have some thoughts on the study of vector images in XML format, because >>> HTML is often valid XML, and then ... >>> >>> Check for the test version IE9, but he did not support SVG inside tag >>> <img>, but only as a separate tag. >>> >>> Works in IE8, in Opera 10.52 does not work on check writing, if not >>> difficult. >>> >>> Original at russian language: http://oxod.ru/?p=113 >>> >>> -- >>> Best regards, >>> Vladimir Vorontsov >>> ONsec security expert >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> >> -- >> FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C >> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on >> http://pastebin.com/f6fd606da >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
