不知道你说的是哪个DNS投毒的paper,太多了
你可以到 search.ph4nt0m.org 搜索一下
[Ph4nt0m]
[Ph4nt0m Security Team]
[EMAIL PROTECTED]
Email: [EMAIL PROTECTED]
PingMe:
=== Ultimate Hacking ===
=== XPLOITZ ! ===
=== #_# ===
#If you brave,there is nothing you cannot achieve.#
-----邮件原件-----
发件人: [email protected] [mailto:[EMAIL PROTECTED] 代表
AVGirl
发送时间: 2008年10月8日 23:02
收件人: Ph4nt0m
主题: [Ph4nt0m] Re: Clickjacking Details
大风,你把那个dns投毒啥的,有图的url给我吧
之前这里看见过,现在又找不到了
On 10月8日, 下午8时56分, Atomic <[EMAIL PROTECTED]> wrote:
> Interesting. But this kind of GUI trick attack has been performed
> before in practice, and in my opinion they are somewhat easier to
> exploit if the user is stupid enough.
>
> Well.. that's almost always the case ;)
>
> On 10月8日, 上午2时58分, 大风 <[EMAIL PROTECTED]> wrote:
>
>
>
> > Today is the day we can finally start talking about clickjacking. This
is
> > just meant to be a quick post that you can use as a reference sheet. It
is
> > not a thorough advisory of every site/vendor/plugin that is vulnerable -
> > there are far too many to count. Jeremiah and I got the final word today
> > that it was fine to start talking about this due to the
> >
<http://blog.guya.net/2008/10/07/malicious-camera-spying-using-clickja...>
click jacking PoC against Flash that was released today (watch the video
>
> > for a good demonstration) that essentially spilled the beans regarding
> > several of the findings that were most concerning. Thankfully, Adobe has
> > been working on this since we let them know, so despite the careless
> > disclosure, much of the work to mitigate this on their end is already
> > complete.
>
> > First of all let me start by saying there are multiple variants of
> > clickjacking. Some of it requires cross domain access, some doesn't.
Some
> > overlays entire pages over a page, some uses iframes to get you to click
on
> > one spot. Some requires JavaScript, some doesn't. Some variants use CSRF
to
> > pre-load data in forms, some don't. Clickjacking does not cover any one
of
> > these use cases, but rather all of them. That's why we had to come up
with
> > a new term for it - like the term or not. As CSRF didn't fit the
> > requirements for clickjacking, we had to come up with a new term to
avoid
> > confusion. If you like Michael
> >
<http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/01...
> > tml> Zalewski's term "UI redress attack" better use that one, it's just
> > not CSRF and shouldn't be mistaken for any other attack, since it really
is
> > different. Here is the technical detail:
>
> > Issue #1 STATUS: Unresolved. Clickjacking allows attackers to subvert
clicks
> > and send the victim's clicks to web-pages that allow themselves to be
> > framed with or without JavaScript. One-click submission buttons or links
are
> > the most vulnerable. It has been known since at least 2002
> > <https://bugzilla.mozilla.org/show_bug.cgi?id=154957#c6> and has seen
at
> > least three different PoC exploits (Google Desktop MITM attack, Google
> > Gadgets auto-add and click fraud). All major browsers appear to be
affected.
>
> > Issue #1a STATUS: Unresolved. JavaScript is not required to initiate the
> > attack as CSS can place invisible iframes over any known target (EG: the
> > only link on the red herring page). Turning off JavaScript also neuters
one
> > of the only practical web based defenses against the attack which is the
use
> > of frame busting code.
>
> > Issue #2 STATUS: Unresolved. ActiveX controls are potentially
susceptible to
> > clickjacking if they don't use traditional modal dialogs, but rather
rely
> > on on-page prompting. This requires no cross domain access, necessarily,
> > which means iframes/frames are not a prerequisite on an attacker
controlled
> > page.
>
> > Issue #2a STATUS: To be fixed in Flash 10 release. All prior versions of
> > Flash on Firefox on MacOS are particularly vulnerable to camera and
video
> > monitoring due to security issues allowing the object to be turned
opaque or
> > covered up. This fix relies on all users upgrading, and since Flash
users
> > are notoriously slow at upgrading, this exploit is expected to persist.
> > Turning off microphone access in the bios and unplugging/removing
controls
> > to the camera are an alternative. Here is the information directly
> > <http://www.adobe.com/support/security/advisories/apsa08-08.html> from
> > Adobe.
>
> > Issue #2b STATUS: Resolved. Flash security settings manager is also
> > particularly vulnerable, allowing the attacker to turn off the security
of
> > Flash completely. This includes camera/microphone access as well as
cross
> > domain access. Resolved using frame busting code, bug #4 below
> > notwithstanding.
>
> > Issue #2c STATUS: To be fixed in Flash 10 release. All versions of Flash
on
> > IE7.0 and IE8.0 can be overlayed by opaque div tags. Using an
onmousedown
> > event handler the object click registers as long as the divs are removed
by
> > the onmousdown event handler function. Demo here
> > <http://ha.ckers.org/weird/cjdivtest.html> of stealing access to the
> > microphone.
>
> > Issue #3 STATUS: To be fixed in the final release candidate. Flash on
IE8.0
> > Beta is persistent across domains (think "ghost in the browser"). This
> > would be a much worse vulnerability except for the fact that it beta and
> > almost no one is using it.
>
> > Issue #4 STATUS: Unresolved. Framebusting code does not appear to work
well
> > on some sites on IE8.0 Beta. Instead it is marked as a popup which is
> > blocked by the browser - disallowing the frame busting code from
executing.
>
> > Issue #5 STATUS: Unresolved. State of clicks on other domains can be
> > monitored with JavaScript (works best in Internet Explorer but other
> > browsers are vulnerable too) which is cross domain leakage and can allow
for
> > more complex multi-click attacks. For example a page that has a check
box
> > and a submit button could be subverted upon two successful clickjacks.
> > Additionally, this can make the attack completely seemless to a user by
> > surrendering control of the mouse back to the user once the attack has
> > completed.
>
> > Issue #6 STATUS: Unresolved. "Unlikely" XSS vulnerabilities that require
> > onmouseover or onmousedown events on other parts of pages on other
domains
> > are suddenly more likely. For example if a webpage has a XSS
vulnerability
> > where the only successful attacks are things like onmouseover or
> > onmousedown, etc... on unlikely parts of the page, an attacker can
promote
> > those exploits by framing them and placing the mouse cursor directly
above
> > the target XSS area. Therefore, otherwise typically uninteresting or
> > unlikely XSS exploits can be made more dangerous.
>
> > Issue #7 STATUS: Fixed in current releases post 1.8.1.9. Firefox's
Noscript
> > plugin's functionality to forbid iframe's can be subverted by iframing a
> > page that contains a cross domain frame or as Ronald found
> > <http://www.0x000000.com/index.php?i=316> by using object tags. Giorgio
> > Maone <http://noscript.net/changelog> validated the issues and issued
> > patches in future releases of the code as well as other potential
> > clickjacking mitigation. 1.8.1.6, 1.8.1.7, 1.8.1.8, 1.8.1.9, 1.8.2 and
> > 1.8.2.1 all contain anti-clickjacking code. All prior versions to 1.8.1.
9
> > were vulnerable to cross domain clickjacking.
>
> > Issue #8 STATUS: Unresolved. Attempts to protect against CSRF using
nonces
> > can often be overcome by clickjacking as long as the URL of the page
that
> > contains the link that includes the nonce is known. Eg: Google Gadgets
> > exploit discussed in Blackhat "Xploiting Google Gadgets" speech. The
only
> > semi-decent defenses against this are to omit the nonces in JavaScript
space
> > and also include the frame busting code in the same JavaScript. This
will
> > break for users who do not use JavaScript though, so it is not an ideal
> > solution.
>
> > From an attacker's perspective the most important thing is that a) they
> > know where to click and b) they know the URL of the page they want you
to
> > click, in the case of cross domain access. So if either one of these two
> > requirements aren't met, the attack falls down. Frame busting code is
the
> > best defense if you run web-servers, if it works (and in our tests it
> > doesn't always work). I should note some people have mentioned
> > security=restricted as a way to break frame busting code, and that is
true,
> > although it also fails to send cookies, which might break any
significant
> > attacks against most sites that check credentials.
>
> > Thanks to Adobe, Microsoft, Firefox, Apple and the various other vendors
and
> > people who have been helpful/supportive and care to fix the issue. Also
> > thanks to the researchers who found these issues independently after
> > Jeremiah and I were unable to do our speech, but kept it to themselves
> > (Arshan Dabirsiaghi, Jerry Hoff, Eduardo Vela, Matthew Matracci, and Liu
Die
> > Yu). I will release a whitepaper to the informer
> > <http://informer.ihackstuff.com/> via hackers for charity
> > <http://www.hackersforcharity.org/> sometime today or tomorrow. I'll
also
> > make that whitepaper available publicly sometime next week and
information
> > forthcoming when I have some time to put it up. Source to generic
> > clickjacking code available here <http://ha.ckers.org/weird/cj.cgi.gz> .
I
> > will keep this post up to date with additional issues and updates as I
am
> > aware of them.
>
> > [Ph4nt0m] <http://www.ph4nt0m.org/>
>
> > [Ph4nt0m Security Team]
>
> > <http://blog.ph4nt0m.org/> [EMAIL PROTECTED]
>
> > Email: [EMAIL PROTECTED]
>
> > PingMe:
> >
<http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=han...
> > hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724>
>
> > === V3ry G00d, V3ry Str0ng ===
>
> > === Ultim4te H4cking ===
>
> > === XPLOITZ ! ===
>
> > === #_# ===
>
> > #If you brave,there is nothing you cannot achieve.#
>
> > image001.gif
> > 5K查看下载- 隐藏被引用文字 -
>
> - 显示引用的文字 -
--~--~---------~--~----~------------~-------~--~----~
要向邮件组发送邮件,请发到 [email protected]
要退订此邮件,请发邮件至 [EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---
