Comments on: Persistent XSS and CSRF on Wireless-G ADSL Gateway with SpeedBooster (WAG54GS) http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs/ Information Security Think Tank Sat, 02 Feb 2013 17:50:40 +0000 hourly 1 http://wordpress.org/?v=3.4.1 By: Infrastructure Attacks: A Growing Concern : DoxPara Research http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs/comment-page-1/#comment-126371 Infrastructure Attacks: A Growing Concern : DoxPara Research Tue, 24 Mar 2009 22:09:36 +0000 http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs#comment-126371 [...] about.  CSRF — Cross Site Request Forgery — attacks have affected everyone from Linksys to Motorola to Siemens to Cisco.  More problematically, the DNS Rebinding attacks discussed by [...] [...] about.  CSRF — Cross Site Request Forgery — attacks have affected everyone from Linksys to Motorola to Siemens to Cisco.  More problematically, the DNS Rebinding attacks discussed by [...]

]]> By: Holes in Embedded Devices: Authentication bypass (pt 2) | GNUCITIZEN http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs/comment-page-1/#comment-114825 Holes in Embedded Devices: Authentication bypass (pt 2) | GNUCITIZEN Fri, 15 Feb 2008 17:19:07 +0000 http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs#comment-114825 [...] http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-... » comments rss | posted by » Adrian Pastor [...] [...] http://www.gnucitizen.org/blog.....edbooster-… » comments rss | posted by » Adrian Pastor [...]

]]> By: hackathology http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs/comment-page-1/#comment-78295 hackathology Wed, 28 Nov 2007 16:09:36 +0000 http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs#comment-78295 Nice one Nice one

]]> By: Adrian Pastor http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs/comment-page-1/#comment-74721 Adrian Pastor Tue, 20 Nov 2007 23:01:38 +0000 http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs#comment-74721 Jordan, newer browsers like FF 2 spawn a warning when typing 'http://admin:admin@192.168.1.1/' and similar URLs which submit basic auth credentials. However, when playing with these attacks I remember getting more a interesting behavior on FF 2 if embedding URLs within HTML - ie: on iframes. Anyway, the best persistent XSS/CSRF type of flaw you can get is within log facilities. Reason being is that when the injected payload is triggered, the victim admin must be logged in by design (in order to check the logs) - hence no need to submit the password along the CSRFed request. I found something like this on Axis IP cameras: http://www.procheckup.com/Vulnerability_Axis_2100_research.pdf Jordan, newer browsers like FF 2 spawn a warning when typing ‘http://admin:admin@192.168.1.1/’ and similar URLs which submit basic auth credentials.

However, when playing with these attacks I remember getting more a interesting behavior on FF 2 if embedding URLs within HTML – ie: on iframes.

Anyway, the best persistent XSS/CSRF type of flaw you can get is within log facilities. Reason being is that when the injected payload is triggered, the victim admin must be logged in by design (in order to check the logs) – hence no need to submit the password along the CSRFed request.

I found something like this on Axis IP cameras: http://www.procheckup.com/Vuln.....search.pdf

]]> By: Jordan http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs/comment-page-1/#comment-74656 Jordan Tue, 20 Nov 2007 20:58:04 +0000 http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs#comment-74656 One kinda tangential question -- I haven't played with it in a little while, but when I was doing something similar with a linksys a while back, if you specified the username:password in the url in a link, Firefox would trap the request and alert the user. Is there a type of request that bypasses that, or does IE7 not have the same feature? I realize that doesn't actually fix the problem, but it at least does give the user a chance to say no and keeps the CSRF from working without their knowledge if they know what they're doing (hah!) Unless of course they're still logged in to the router when the attack occurs in which case no need to pass the credentials in the URL at all... One kinda tangential question — I haven’t played with it in a little while, but when I was doing something similar with a linksys a while back, if you specified the username:password in the url in a link, Firefox would trap the request and alert the user.

Is there a type of request that bypasses that, or does IE7 not have the same feature?

I realize that doesn’t actually fix the problem, but it at least does give the user a chance to say no and keeps the CSRF from working without their knowledge if they know what they’re doing (hah!)

Unless of course they’re still logged in to the router when the attack occurs in which case no need to pass the credentials in the URL at all…

]]>