Full Disclosure mailing list archives
Re: IE8 img tag HiJacking
From: T Biehn <tbiehn () gmail com>
Date: Thu, 22 Apr 2010 13:20:57 -0400
It could be used as a technique for defeating the login images used as "two-factor-authentication" by some online services. The application of using filesize to fingerprint an image is somewhat novel. This is a decidedly 'old' vector, though. -Travis 2010/4/21 Владимир Воронцов <vladimir.vorontsov () onsec ru>
Hello Full disclosure! Once again, unwinding theme HiJacking found a fun way to get the very least information about the target resource when the user is located at the attacker. Already crocked <img> tag opens new opportunities using the method fileSize, described here: http://msdn.microsoft.com/en-us/library/ms533752 (v = VS.85). Aspx Consider a simple example - a Web application after authentication provides some sort of picture for the user, for example: http://example.com/getImage.php?image=myAvatar The attacker, knowing this can create a page to read: <img id="onsec" src="http://example.com/getImage.php?image=myAvatar";> <input type="button" onclick="if (onsec.fileSize> 0) (alert ('authorized on example.com') else (alert ('not authorized on example.com')}"> Thus, the attacker learns the simplest case, whether the target user access to example.com. Continuing the theme, I want to note that in some cases, can obtain additional information from the very values of the size of the picture. It can be any logical information Web applications, say, the same script can show administrators a picture of the same size, and users - of another. Thus, we obtain the user rights. And so on. I'd like to return the size of the method is not only "valid" images, but also HTML pages, JSON, etc. But, unfortunately, does not work. Maybe, of course, there are exceptions, call to investigate the matter. I have some thoughts on the study of vector images in XML format, because HTML is often valid XML, and then ... Check for the test version IE9, but he did not support SVG inside tag <img>, but only as a separate tag. Works in IE8, in Opera 10.52 does not work on check writing, if not difficult. Original at russian language: http://oxod.ru/?p=113 -- Best regards, Vladimir Vorontsov ONsec security expert _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on http://pastebin.com/f6fd606da
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- IE8 img tag HiJacking Владимир Воронцов (Apr 21)
- Re: IE8 img tag HiJacking T Biehn (Apr 22)
- Re: IE8 img tag HiJacking Dan Kaminsky (Apr 22)
- Re: IE8 img tag HiJacking Dan Kaminsky (Apr 22)
- Message not available
- Re: IE8 img tag HiJacking T Biehn (Apr 22)
- Re: IE8 img tag HiJacking Dan Kaminsky (Apr 22)
- Re: IE8 img tag HiJacking Владимир Воронцов (Apr 22)
- Re: IE8 img tag HiJacking T Biehn (Apr 22)