Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Chrome and Safari users open to stealth HTML5 Application Cache attack
From: Lavakumar Kuppan <lava () andlabs org>
Date: Tue, 29 Jun 2010 11:51:20 +0530


That interpretation is accurate.


It is not possible to create caches for HTTPS resources over HTTP.
However by caching root pages of the site's HTTP equivalent we can attack
the user before redirecting to HTTPS.
Similar to SSLstrip.

I probably didnt explain this well in the mail, sorry about that.


On Tue, Jun 29, 2010 at 6:23 AM, Michal Zalewski <lcamtuf () coredump cx>wrote:

On unsecured networks, attackers could stealthily
create malicious Application Caches in the browser of victims for even
sites. It has always been possible to poison the browser cache and
compromise the victim's account for HTTP based sites.
With HTML5 Application Cache, it is possible to poison the cache of even
HTTPS sites.

Is it agreed that if the above is true -- meaning, separation doesn't
actually exist -- then there's a bug?

My understanding is that this refers to the ability to poison
http://www.mybank.com - which may be the default destination for a
good percentage of users - even if the only function of this page is
to redirect directly to https://www.mybank.com.

There should be no ability to use cache manifests delivered over http
to inject content into the https origin, or at least I hope so.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]