mailing list archives
Re: Attacking the local LAN via XSS
From: "pdp (architect)" <pdp.gnucitizen () googlemail com>
Date: Fri, 4 Aug 2006 09:59:56 +0100
perform cross domain requests, however this is fixed in Flash 8. Java
Object are quite the same in that respect. Of course, in certain
situations it might be possible to trick the browser.
The proposed scenario takes advantage of the fact the Internal device
is vulnerable to XSS attack. In this case all the attacker needs to do
is to make an iframe call to the vulnerable URL in order to inject
browser happily will allow you to make XmlHttpRequests. In the Ajax
world this is the most well proven technology. Both POST and GET are
Performing PUT, HEAD, DELETE and other server methods are possible as
well. All the attacker needs to do is to perform iframe call to the
vulnerable to XSS url that will embed Java Object which will perform
the desired operations. More sophisticated attack vectors are also
possible (tcp, udp, icmp scanning, sockets, etc...).
In case the current browser has outdated Flash plugin, the malicious
site can perform the desired attack without the need of the internal
device being vulnerable to XSS. However this will work in very closed
environments because most of the time plugin updates are enforced on
In case sensitive information needs to be transferred from the local
LAN to a remote collection point a few other methods can be employed.
A Flash object can store a lot of information by using the AJAX
MAssive Storage System (AMASS) technique
<http://codinginparadise.org/projects/storage/README.html>. When the
storage reach a critical mass (99K) the content can be automatically
dumped at the remote collection point via POST. All this can be
achieved from Flash (all versions). Of course the remote collection
point needs to have "crossdomain.xml" file located in the document
root to allow cross domain requests in case the Flash plugin is in its
All of these checks can be performed at runtime. The attacker can
detect what version of Flash is currently used and whether Java is
enabled. Based on that the best attack vector will be selected.
Moreover, this can be trivially achieved by using well known AJAX
On 8/4/06, Georgi Guninski <guninski () guninski com> wrote:
On Fri, Aug 04, 2006 at 12:35:48AM +0100, pdp (architect) wrote:
> For that purpose three prerequisites are needed:
> 1. page that is controlled by the attacker, lets call it evil.com
> 2. border router vulnerable to XSS
blind <img src=http://ip/cgi-bin/readmailreallyfast>, iframe src=, may have
interesting side effects.
where do you want bill gates to go today?
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Re: Attacking the local LAN via XSS Florian Weimer (Aug 10)