Comments on: Frame Injection Fun

By: GUYA.NET » Blog Archive » Google Hackathon was hacked

GUYA.NET » Blog Archive » Google Hackathon was hacked — Wed, 05 Nov 2008 00:45:13 +0000

[...] I got was that I should report this somewhere in the GMail website. But, it’s already been reported, I [...]

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Tue, 21 Oct 2008 07:07:13 +0000

@Chintan: this is a problem of semantics, we could talk about it forever. It doesn’t matter what you call it, the issue is still the same: you can insert third-party content while still showing mail.google.com in the address bar.

We did NOT come up with the term “frame injection” (just do a Google search), neither did we claim we came up with a new technique. The only reason why there has been some media interest is because Google is something everyone can relate to.

Thanks a lot for your feedback again btw.

By: Chintan

Chintan — Sun, 19 Oct 2008 16:32:33 +0000

@Adrian - I appreciate your explanation. But i still think an attacker is not adding any frame into victim’s page. I think it can be termed as url redirection via frames.

The reason the address bar reflects new url in a traditional url redirection attack is because the redirection is direct one (i.e. @page level).

Since in this case the the functionality of the frame is to load an external url- which is abused to load an arbitrary page inside that frame, it will never show up in address bar (not even for the legitimate page).

I repeat, an attacker is not injecting any frame into victim’s webpage. Only the content of the existing frame changes as the domain is not restricted. Then how can one call it frame “Injection”?

I think the debate may be endless. Instead i give it up here. Feel free to call it anything you want.

None the less, not a bad catch (just that it has been overhyped to reflect as a new kind of attack). I have always appreciated GNU Citizen for their innovations, but i cannot give credit for this one atleast.

By: Diversas vulnerabilidades en Google | El blog de José Luís Zayas

Diversas vulnerabilidades en Google | El blog de José Luís Zayas — Sat, 18 Oct 2008 14:33:50 +0000

[...] La primera de ellas se trata de un Cross Domain Frame http://mail.google.com/imgres?......com/482f3 según podemos ver, un usuario que entrara en dicho link podría ser engañado y capturar sus credenciales de su cuenta Google, más información aquí. [...]

By: Frame injection exploits Google flaw | Information Systems Security

Frame injection exploits Google flaw | Information Systems Security — Fri, 17 Oct 2008 17:55:01 +0000

[...] posted the frame-injection PoC example against Google on the GNUCitizen blog. He explained that frame injection works by inserting the URL of a third-party website into the [...]

By: Ethical Hackers » Google Gmail, Other Apps, Vulnerable To Attack

Ethical Hackers » Google Gmail, Other Apps, Vulnerable To Attack — Fri, 17 Oct 2008 03:13:59 +0000

[...] ‘pagvac’ Pastor, a security researcher with GNUCitizen.org, on Friday posted proof-of-concept code that can inject a third-party page — a fake login page in Pastor’s example — while the [...]

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Thu, 16 Oct 2008 07:10:09 +0000

@Chintan: sure it IS different. In a redirection attack, the URL in the browser’s address bar changes to a non-trusted third-party site once the “evil” URL is visited. In a frame injection attack, the address bar remains showing the legitimate domain after the “evil” URL is visited.

It is called frame injection because the third-party content is inserted via a dynamically generated frame. Check the ‘frame’ tags in the source code for more info.

@Daniel: I’m actually against creating new vulnerability names, it just complicates things. The only reason I mentioned the term “frame injection” is because: 1) it’s NOT a new term. 2) the filtering solution needed is different to the one required for “pure” XSS/HTMLi vulnerabilities as the attacker doesn’t need to inject “dangerous” characters. At least generally speaking.

By: Serviços do Google estão vulneráveis a Frame Injection | Elvis Fernandes

Serviços do Google estão vulneráveis a Frame Injection | Elvis Fernandes — Wed, 15 Oct 2008 11:40:05 +0000

[...] O Adrian ‘pagvac’ Pastor, da GNUCitizen, postou sua descoberta sobre a vulnerabilidade do google a ataques de Frame Injection. [...]

By: Jim Manico

Jim Manico — Tue, 14 Oct 2008 18:00:26 +0000

RE: Comments about about input validation above : you do NOT defend against XSS by input validation - thats one of the biggest misnomers in AppSec. You solve it via ENCODING data before presenting it to your users. ESAPI, for example, provides a variety of data encoding functions depending on context: encodeForHTML, encodeForHTMLEntity, encodeForJavascript, etc.

By: Google Gmail, Other Apps, Vulnerable To Attackers , Hackers | Tech At Hand Dot Net | Philippines, Technology, SEO and Blogging

Tue, 14 Oct 2008 09:03:48 +0000

[...] Adrian ‘pagvac’ Pastor, a security researcher with GNUCitizen.org, on Friday posted proof-of-concept code that can inject a third-party page — a fake login page in Pastor’s example — [...]

By: Chintan

Chintan — Tue, 14 Oct 2008 02:16:29 +0000

Hi, I don’t think its any thing different from URL Redirection (except that it is now wrapped with a new shiny marketing lingo). I still don’t understand where the frame gets injected! It’s just getting loaded from an external source.

Instead of loading Fake Gmail page, you can load any page instead. The following loads yahoo :P

http://mail.google.com/imgres?...../yahoo.com

Can some one please explain me the rationale for calling it a frame injection?

By: Be Careful With Your GMail Account! | Jialat dot Com

Be Careful With Your GMail Account! | Jialat dot Com — Tue, 14 Oct 2008 00:54:08 +0000

[...] mail users ‘at risk’ of being duped New Google bugs empower phishermen Adrian Pastor’s original report Share and [...]

By: frank

frank — Mon, 13 Oct 2008 18:22:00 +0000

i think that this one http://www.securiteam.com/secu.....00PFE.html was a big security problem in google and no one was talking about it!

bye
frank

By: CompuSec.Org » Blog Archive » Proof of Concept: Google bugs

CompuSec.Org » Blog Archive » Proof of Concept: Google bugs — Mon, 13 Oct 2008 16:06:54 +0000

[...] vulnerability with google mail and calendar, etc. It has been proven to work by Adrian Pastor at gnucitizen. This link explains how it all [...]

By: Daniel

Daniel — Mon, 13 Oct 2008 12:42:40 +0000

Whilst ’some’ people consider them to be different, in reality they are not.

I know it’s the rage at the moment to think up new and exciting names for vulnerabilities, but let’s try and keep this simple.

When we did the OWASP Top 10, we decided it would be easier to group them all under the same banner; Injection Flaws

http://www.owasp.org/index.php/Injection_Flaws

By: Google colto in “Falla” :: News Orebla.it

Google colto in “Falla” :: News Orebla.it — Sun, 12 Oct 2008 08:10:27 +0000

[...] Injection Vulnerabilities” in cui è possibile visualizzare l’esempio. Invece qui potete leggere un approfondimento su come funziona un attacco di tipo Frame [...]

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Sat, 11 Oct 2008 19:18:37 +0000

I was not suggesting that filtering quotation marks or angle brackets is enough to stop all forms of XSS! Of course it’s not enough, as it will only avoid very-vanilla XSS attacks. Think of XSS vulns where the injected payload is echoed within an already-existing JavaScript snippet (within existing ’script’ tags). In this case, common blacklisting techniques will NOT help. This is why I always recommend applying *white-listing* filtering whenever possible.

Take the example of a frame injection vuln. If you already know what URLs should be allowed to be inserted, then you should reject anything other than that. For instance, you could add the list of the trusted URLs in the backend DB, and assign a different ID to each of them. So that the URL only takes IDs as an argument. i.e.:

https://www.site.foo/index.php?targetframe=1

If ‘targetframe’ is assigned an integer value which doesn’t exist in the DB, then no frame is inserted whatsoever. The beauty is that the attacker cannot now manipulate the inserted frames. However, some sites cannot predict what URLs should be allowed to be inserted as frames. An example is the Google Images frame injection problem mentioned before.

By: Proof of Concept- Google Open to frame injection attack?

Proof of Concept- Google Open to frame injection attack? — Sat, 11 Oct 2008 14:04:57 +0000

[...] Frame Injection Proof of Concept Code [...]

By: Gmail security exploit; Google domain ‘proof-of-concept’ bug

Gmail security exploit; Google domain ‘proof-of-concept’ bug — Sat, 11 Oct 2008 11:10:23 +0000

[...] “The previous PoC URL will cause the entered credentials to be submitted to http://www.gnucitizen.org when clicking on the Sign in, so please do NOT submit any real credentials,” Pastor warns here. [...]

By: will

will — Sat, 11 Oct 2008 06:41:22 +0000

even fools LastPass into thinking you want to log into google mail