WebApp Sec: alternate (new?) web app exploitation angle--too much coffee version

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

Arian Security Advisory 01.10.04

I. VENDOR: I'm not very smart, but I stumbled onto something
new to me this week.

II. <DISCLAIMER> Hopefully I'm not a total idiot and everyone's
already thought of this/done this and it's a completely banal
post simply missing a "Secrets of the XSS Injection Masters"
PDF linking to my super-XSS-injection defender box.
</disclaimer>

III. DESCRIPTION: Rainy Friday Script/Command injection fun:

airpwn + app you're testing + $client.wireless.hotspot

IV. ANALYSIS: It's slick, it's simple, and it scales nicely =)
Something useful did come out of Defcon 12...

Now most of the juicy bits you want are probably wrapped
in an SSL tunnel which you won't be getting here, unless
you 'break' the session...read on, I am still figuring out ways
to break and restart the SSL session. So this attack is more
of novelty value but nice quick way to demonstrate arbitrary
script execution on dozens of clients in parallel.

Or exploitation of the client's app. Or fill a bored Saturday
in the excitingly cosmopolitan Kansas City.

V. PROOF of CONCEPT:--grab a response from the webapp.

Rebuild it. Respond it to the clients. Force them to re-enter
their input, click on submit.... or send them a link, or or or

Obviously you could send the client a bomb directly with
this, but perhaps you want something out of their session
so now you brute-force break their session by sending a new
login page and made them log back in with your XSS. You
get session cookie/parameter and credentials, the Britney
pics, a good laugh, etc.

VI. WORKAROUND: CAT5/6.

VII. BACKGROUND: Some smart CS student tried messing
with people (me) at a hotspot next to a local university and it
switched me into <evil> mode and resulted in something a lot
more interesting than this XSS. CS major got the smackdown
from the GED.

VIII. DISCLOSURE TIMELINE: </evil>

Think of a recent related Windows exploit and your lights
should go on quicker than mine did at something else you
can do with this approach. Look for another post this weekend
from a non-work account to BT and FD lists; if BT mod-
-bounces I'll post to pen.

IX. VENDOR RESPONSE: Can't decide if this is pen or web.

Use your powers for good. If you see me in KC this weekend
with a laptop that says "PLEASE WAKE ME FOR MEALS"
on the lid, turn off your 802.11b and find a landline. :)

Arian Evans
Sr. Security Engineer
FishNet Security

KC Office:  816.421.6611
Direct: 816.701.2045
Toll Free:  888.732.9406
Fax:  816.474.0394

http://www.fishnetsecurity.com






The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or 
privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information 
by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you 
received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network 
system.