Cross Context Scripting with Sage

This month we have a guest blogger and his name is David Kierznowski, the founder of Operation n – the adventures of Michaels Daw. David and I have been working together on various security related projects. He currently works as a security analyst and researcher. David contacted me after he found interesting anomaly with Sage Firefox Extension. These are his words:

I would often keep abreast of new vulnerabilities and exploits via my RSS feeds. [...]

more | comments | comments rss | posted by

JavaScript Authorization Forcer

This is an idea I am still developing. The malicious JavaScript presented here tries to guess URLs that contain credentials. It is sort of Basic Authentication/FTP Authentication bruteforcer.

The source code can be downloaded from here.

The POC works well in IE6, IE7, Firefox and Opera. I wasn’t able to suppress the Basic Authentication dialog when trying to create a real Basic Authentication Bruteforcer. However, I came up with this lazyForce implementation. [...]

more | comments | comments rss | posted by

JavaScript Visited Link Scanner

This is a technique which I learned from Jeremiah Grossman and his presentation on JavaScript malware. Please, keep all the credits for this finding to Jeremiah.

The POC presented here is my improved version of the POC presented in BlackHat. I made it work in IE6, IE7, Firefox and Opera. My main challenge was IE6. IE6 is very nasty when dealing with dynamically generated style sheets. However, these can be easy solved by reusing the current style sheet. [...]

more | comments | comments rss | posted by

XSSing the Lan 4

Trust is a beautiful concept that rarely finds application in real life. Unfortunately, trust is all we’ve got when dealing with computers: username, password, master I am here to serve you; neither semantics nor pragmatics. The browser security model is kind of based on trust. The browser trusts websites that you trust. It relies on our judgment which is wrong most of the time. [...]

more | comments | comments rss | posted by

XSSing the Lan 3

In my previous posts I mentioned that in order to compromise a LAN device from the Internet the attacker needs to exploit a XSS vulnerability in the device firmware. The limitations of this kind of attack are quite obvious. Let’s have a look at the exploitation process again.

First of all the local LAN needs to be explored for live hosts and than each host needs to be scanned with a URL Signature database in order to detect the firmware type and version. [...]

more | comments | comments rss | posted by

XSSing the Lan 2

In order to perform browser based attacks, JavaScript is most definitely required with a number of restrictions of course. Flash 7 has the flexibility to perform cross domain requests without restrictions, however this is sort of fixed in Flash Player 8. Java applets are quite the same in that respect. In certain situations it might be possible to trick the browser into doing what ever you want, but this is a different story. [...]

more | comments | comments rss | posted by

XSSing the Lan

Since there is a growing interest in XSS (Cross-site Scripting) attacks, I will try to put in theory how border routers/gateways can be trivially compromised over the web. For the purpose of this, three prerequisites need to be met: a page that is controlled by the attacker, lets call it evil.com; router vulnerable to XSS; user attending evil.com.

Once the user visits evil.com a malicious JavaScript code executes to find what machines are alive on the LAN and where the router is located. [...]

more | comments | comments rss | posted by