Interesting use, using filesize to back into the actual CAPTCHA used for a given query. Sneaky!
So it's possible to read not only filesize, but image dimensions cross-domain. I actually found a use for this -- it's a good way to exchange a small amount of data between sites that mutually distrust one another. The reason for this is that images are pretty much the only resources that can be loaded cross-domain that won't have embedded script executed by a browser. (Side note: At this point, you're probably thinking: Vladimir just said that some browsers allow SVG to load via <img> -- and SVG can embed script with nothing but a script tag and a smile! Doesn't this mean a bunch of sites are in trouble? Turns out, no, not as far as I can tell anyway. IE and Firefox both block <img> to SVG entirely, while Chrome, Safari, and Opera allow it. But there appears to be a script firewall (or more accurately, a missing connection) between <img>-loaded SVG and the script engine. Static SVG renders just fine, but don't expect it to do anything unless you top-level nav, inline, or use something like embed.) Back to image dimensions, it turns out that this information channel cannot be closed; even if the dimensions of the object itself couldn't be queried, the XY positioning of the objects *around* the imported images must be both queryable and dependent on image properties. I was curious however if img.fileSize would leak filesizes of non-image content. Doesn't look like it does -- undefined in everything but IE, -1 in IE. 2010/4/22 T Biehn <[email protected]> > It could be used as a technique for defeating the login images used as > "two-factor-authentication" by some online services. > The application of using filesize to fingerprint an image is somewhat > novel. This is a decidedly 'old' vector, though. > > -Travis > > 2010/4/21 Владимир Воронцов <[email protected]> > > Hello Full disclosure! >> >> Once again, unwinding theme HiJacking found a fun way to get the very >> least information about the target resource when the user is located at >> the >> attacker. >> >> Already crocked <img> tag opens new opportunities using the method >> fileSize, described here: >> http://msdn.microsoft.com/en-us/library/ms533752 >> (v = VS.85). Aspx >> >> Consider a simple example - a Web application after authentication >> provides some sort of picture for the user, for example: >> >> http://example.com/getImage.php?image=myAvatar >> >> The attacker, knowing this can create a page to read: >> >> <img id="onsec" src="http://example.com/getImage.php?image=myAvatar";> >> >> <input type="button" onclick="if (onsec.fileSize> 0) (alert ('authorized >> on example.com') else (alert ('not authorized on example.com')}"> >> >> Thus, the attacker learns the simplest case, whether the target user >> access to example.com. >> >> Continuing the theme, I want to note that in some cases, can obtain >> additional information from the very values of the size of the picture. It >> can be any logical information Web applications, say, the same script can >> show administrators a picture of the same size, and users - of another. >> Thus, we obtain the user rights. And so on. >> >> I'd like to return the size of the method is not only "valid" images, but >> also HTML pages, JSON, etc. But, unfortunately, does not work. Maybe, of >> course, there are exceptions, call to investigate the matter. >> >> I have some thoughts on the study of vector images in XML format, because >> HTML is often valid XML, and then ... >> >> Check for the test version IE9, but he did not support SVG inside tag >> <img>, but only as a separate tag. >> >> Works in IE8, in Opera 10.52 does not work on check writing, if not >> difficult. >> >> Original at russian language: http://oxod.ru/?p=113 >> >> -- >> Best regards, >> Vladimir Vorontsov >> ONsec security expert >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > > -- > FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C > http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on > http://pastebin.com/f6fd606da > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
