Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Google Chrome: HTTP AUTH Dialog Spoofing through Realm Manipulation (Restated)
From: Tim <tim-security () sentinelchicken org>
Date: Mon, 23 Aug 2010 17:05:29 -0700

Aditya,

First of all, the dialog spoofing issue still works in Google Chrome and
it has not been patched. 

I'm not surprised.  There didn't seem to be a lot of interest in these
issues from any browser vendor when I brought them to their attention.

A lot of tests have been
conducted considering different variants spoofing. I missed your paper
previously. I must say its a very good read. 

Not a problem; the paper only addressed this topic tangentially.  I
only brought it up because I wasn't sure how things had changed since
I last tested and thought you could enlighten me.

Further, it has been mentioned several times that it is a legitimate
attack point used by phishers. For example:

http://code.google.com/p/browsersec/wiki/Part3#HTTP_authentication

Yup, the attack scenario I described came straight from the BSH,
though I didn't mess around with the password-in-URL stuff.

Even this issue is not patched. May be URL protection like Mozilla is a
good practice.

Further, Mozilla has worked pretty fine after the dialog spoofing
vulnerability disclosed by Aviv Raff on below mentioned
link
:http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx

Ah, nice, I didn't see this one when I was last testing this stuff.

We have used a well defined PHP script in this demo combining with a URL
obfuscation issue. Since spoofing aims at
manipulating the security features in user interfaces, it requires a new
model dialog for HTTP authentication that should disseminate
the realm value from domain name. Restricting, the string length of
Realm value could be a good lead here.

More usefully, the realm should be clearly separated from the domain
and labeled in the dialog like Opera does it.  See the screenshot of
that in my paper.  There could still be some confusion, but it's
clearly much better than trying to embed potentially malicious strings
within the same sentences as more carefully validated ones (the
domain).


So, once again, could you send the realm string/auth header you were
setting in that demo?

thanks,
tim


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]