Comments on: Web Pages from Hell http://www.gnucitizen.org/blog/web-pages-from-hell/ Information Security Think Tank Fri, 29 Aug 2008 19:00:39 +0000 http://wordpress.org/?v=2.6.1 By: tom http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-81135 tom Tue, 04 Dec 2007 23:24:07 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-81135 this web page looks weird like a programmer T-shirt this web page looks weird like a programmer T-shirt

]]> By: sushant http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-59247 sushant Wed, 17 Oct 2007 19:01:35 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-59247 i am confused. my question is Can i open C drive document on client browser by giving a path in iframe example can i do this ?? i am confused. my question is

Can i open C drive document on client browser by giving a path in iframe

example

can i do this ??

]]> By: pdp http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-23639 pdp Fri, 25 May 2007 14:07:35 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-23639 crash_daemonicus, I totally agree with you, however you can still get certain parts of the file if the information that you are interested in is somewhere at the top of the file. The way you do that is by importing the file as script and watching for errors. Some JS interpreters return not only the type of error that is generated but also the actual code line, which is exactly what you are after. crash_daemonicus,

I totally agree with you, however you can still get certain parts of the file if the information that you are interested in is somewhere at the top of the file. The way you do that is by importing the file as script and watching for errors. Some JS interpreters return not only the type of error that is generated but also the actual code line, which is exactly what you are after.

]]> By: crash_daemonicus http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-23623 crash_daemonicus Fri, 25 May 2007 11:57:53 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-23623 I guess another classic example of information disclosure would be using res:// calls to DLL's to load images only there in certain versions of windows and then testing the image's width and height information with javascript... PS. last post my example HTML didnt post: <pre><code><script src=C:\file.ext></code></pre> I guess another classic example of information disclosure would be using res:// calls to DLL’s to load images only there in certain versions of windows and then testing the image’s width and height information with javascript…

PS. last post my example HTML didnt post:

<script src=C:\file.ext>
]]> By: crash_daemonicus http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-23621 crash_daemonicus Fri, 25 May 2007 11:51:58 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-23621 <blockquote>MARCOS, maybe I don’t quite understand your question but from what I see you want to retrieve the content of c:\test\x.htm from http://www.example.com for example. That is not possible.</blockquote> well, unless your target file is a configuration file that would be in correct syntax as a JS file.... then you simply and call each configuration variable by name but anymore it'd be difficult unless your target is a specific program's configuration file because anymore they have [type of information] lines that will kill the script but if they dont then there might be a problem lol

MARCOS, maybe I don’t quite understand your question but from what I see you want to retrieve the content of c:\test\x.htm from http://www.example.com for example. That is not possible.

well, unless your target file is a configuration file that would be in correct syntax as a JS file…. then you simply and call each configuration variable by name

but anymore it’d be difficult unless your target is a specific program’s configuration file because anymore they have [type of information] lines that will kill the script

but if they dont then there might be a problem lol

]]> By: GNUCITIZEN » PDF Strikes Back http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-5555 GNUCITIZEN » PDF Strikes Back Wed, 28 Feb 2007 12:33:26 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-5555 [...] Where does this leave us? I found that the checks implemented in Reader and Acrobat Trial are inefficient. My investigation shows that it is possible to launch file:// urls, which is something very dangerous to do. file:// protocol urls, launched in the browser, grant malicious JavaScript objects permissions to list the filesystem and steal confidential information. More information about the dangers of the file:// protocol can be found here and here. [...] [...] Where does this leave us? I found that the checks implemented in Reader and Acrobat Trial are inefficient. My investigation shows that it is possible to launch file:// urls, which is something very dangerous to do. file:// protocol urls, launched in the browser, grant malicious JavaScript objects permissions to list the filesystem and steal confidential information. More information about the dangers of the file:// protocol can be found here and here. [...]

]]> By: Denial Of Service » Blog Archive » Universal PDF XSS http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-2412 Denial Of Service » Blog Archive » Universal PDF XSS Mon, 15 Jan 2007 23:50:40 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-2412 [...] You can see that the above URL is accessed with the file protocol. This means that we have access to other resources served by the same protocol. For more information how to access the file system, read the current user history file, dump the registry, download the SAM file or access other sensitive information read here and here. [...] [...] You can see that the above URL is accessed with the file protocol. This means that we have access to other resources served by the same protocol. For more information how to access the file system, read the current user history file, dump the registry, download the SAM file or access other sensitive information read here and here. [...]

]]> By: Denial Of Service » Blog Archive » http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-2375 Denial Of Service » Blog Archive » Mon, 15 Jan 2007 04:54:24 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-2375 [...] You can see that the above URL is accessed with the file protocol. This means that we have access to other resources served by the same protocol. For more information how to access the file system, read the current user history file, dump the registry, download the SAM file or access other sensitive information read here and here. [...] [...] You can see that the above URL is accessed with the file protocol. This means that we have access to other resources served by the same protocol. For more information how to access the file system, read the current user history file, dump the registry, download the SAM file or access other sensitive information read here and here. [...]

]]> By: pdp http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-1852 pdp Thu, 04 Jan 2007 13:12:34 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-1852 the Java live connect will work on FF and Opera only. The rest should work on all browsers the Java live connect will work on FF and Opera only. The rest should work on all browsers

]]> By: PartyOf1 http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-1849 PartyOf1 Thu, 04 Jan 2007 12:33:48 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-1849 Do all the attack functions work if IE or FF are runing inside of something like SandBoxIE? Does the attack also try to work on a Virtual machine? Do all the attack functions work if IE or FF are runing inside of something like SandBoxIE?

Does the attack also try to work on a Virtual machine?

]]> By: GNUCITIZEN » Universal PDF XSS After Party http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-1847 GNUCITIZEN » Universal PDF XSS After Party Thu, 04 Jan 2007 12:15:19 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-1847 [...] You can see that the above URL is accessed with the file protocol. This means that we have access to other resources served by the same protocol. For more information how to access the file system, read the current user history file, dump the registry, download the SAM file or access other sensitive information read here and here. [...] [...] You can see that the above URL is accessed with the file protocol. This means that we have access to other resources served by the same protocol. For more information how to access the file system, read the current user history file, dump the registry, download the SAM file or access other sensitive information read here and here. [...]

]]> By: GNUCITIZEN » Web Pages from Hell 2 http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-654 GNUCITIZEN » Web Pages from Hell 2 Wed, 15 Nov 2006 02:39:57 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-654 [...] November 15th, 2006 This month my guest blogger is Adrian Pastor (a.k.a pagvac) the founder of “In Knowledge We Trust - Security Research Labs” and co-author of “Exegesis of Virtual Hosts Hacking”. Adrian and I have been brainstorming together on various security related projects. He currently works as a security analyst and researcher involved in high-profile web application testing. In this post Adrian expands on topic of “Web Pages from Hell”. These are his words: [...] [...] November 15th, 2006 This month my guest blogger is Adrian Pastor (a.k.a pagvac) the founder of “In Knowledge We Trust - Security Research Labs” and co-author of “Exegesis of Virtual Hosts Hacking”. Adrian and I have been brainstorming together on various security related projects. He currently works as a security analyst and researcher involved in high-profile web application testing. In this post Adrian expands on topic of “Web Pages from Hell”. These are his words: [...]

]]> By: pdp http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-233 pdp Wed, 11 Oct 2006 01:50:14 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-233 MARCOS, maybe I don't quite understand your question but from what I see you want to retrieve the content of c:\test\x.htm from http://www.example.com for example. That is not possible. MARCOS, maybe I don’t quite understand your question but from what I see you want to retrieve the content of c:\test\x.htm from http://www.example.com for example. That is not possible.

]]> By: MARCOS OLIVEIRA http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-231 MARCOS OLIVEIRA Tue, 10 Oct 2006 19:30:49 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-231 My problem is that i have IIS and a virtual directory... could you please tell me if it is possible to use an iframe to get a html page from, for example, c:\test\x.htm... Be aware that my VD is different from the c:\test. Thank you so much. Marcos Oliveira My problem is that i have IIS and a virtual directory… could you please tell me if it is possible to use an iframe to get a html page from, for example, c:\test\x.htm… Be aware that my VD is different from the c:\test.

Thank you so much.
Marcos Oliveira

]]> By: pdp http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-190 pdp Thu, 05 Oct 2006 01:37:31 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-190 ravikiran.k, sure. You will be able to get my gmail address from various security lists. Add me in and if I am online drop me a message. ravikiran.k, sure. You will be able to get my gmail address from various security lists. Add me in and if I am online drop me a message.

]]> By: ravikiran.k http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-176 ravikiran.k Tue, 03 Oct 2006 12:49:35 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-176 Great Work,Can i get your appointment for a talk. Great Work,Can i get your appointment for a talk.

]]> By: offtopic http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-135 offtopic Sat, 23 Sep 2006 11:40:26 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-135 About Internet Explorer. While IE (in XP and W2K3) per se by default locks active content, many applications which reuse IE starts it “unlocked” mode. About Internet Explorer.
While IE (in XP and W2K3) per se by default locks active content, many applications which reuse IE starts it “unlocked” mode.

]]> By: pdp http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-133 pdp Sat, 23 Sep 2006 11:17:34 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-133 how does this relate to this article? Sorry I don't have time to look more carefully in the security focus links that you provided. Can you elaborate more? Thanks. how does this relate to this article? Sorry I don’t have time to look more carefully in the security focus links that you provided. Can you elaborate more? Thanks.

]]> By: offtopic http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-132 offtopic Sat, 23 Sep 2006 10:44:34 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-132 This techniques widly used to exploit Internet Explorer "embedded" in different applications. 2 old examples http://www.securityfocus.com/bid/14385 http://www.securityfocus.com/archive/1/433360 This techniques widly used to exploit Internet Explorer “embedded” in different applications.
2 old examples

http://www.securityfocus.com/bid/14385

http://www.securityfocus.com/archive/1/433360

]]> By: pdp http://www.gnucitizen.org/blog/web-pages-from-hell/#comment-86 pdp Sun, 17 Sep 2006 07:31:04 +0000 http://www.gnucitizen.org/blog/web-pages-from-hell#comment-86 Yes anty, You are right. The reason I presented it this way was because sometimes JRE is not installed in which case you cannot read binary files, but you can read text files with iframe. It it the same when listing directories. Also, you can use the XMLHttpRequest object, however, to me it seams that it works on some setups but it doesn't on others. Yes, this technique works only when the file is executed locally due to the same origin policy. It will not work remotely unless you find a browser bug but this is a completely different story. However, there are situations where a plugin or an extension unconsciously caches web content on the file system and presents it to the user. This was the case with <a href="http://www.gnucitizen.org/blog/cross-context-scripting-with-sage" rel="nofollow" rel="nofollow">Sage cross-context scripting vulnerability</a>. The complete sourcode of the techniques presented here are available at <a href="http://www.gnucitizen.org/blog/attackapi" rel="nofollow" rel="nofollow">AttackAPI project page</a>. Yes anty,

You are right. The reason I presented it this way was because sometimes JRE is not installed in which case you cannot read binary files, but you can read text files with iframe. It it the same when listing directories. Also, you can use the XMLHttpRequest object, however, to me it seams that it works on some setups but it doesn’t on others.

Yes, this technique works only when the file is executed locally due to the same origin policy. It will not work remotely unless you find a browser bug but this is a completely different story.

However, there are situations where a plugin or an extension unconsciously caches web content on the file system and presents it to the user. This was the case with Sage cross-context scripting vulnerability.

The complete sourcode of the techniques presented here are available at AttackAPI project page.

]]>