Re: MouseOverJacking attacks

["MustLive" <mustlive () websecurity com ua>]

Hello Andrew!

First of all, Happy New Year to you and to all participants of the list.

And about your letter.

> If you can inject arbitrary HTML into a web page,

When you are talking about arbitrary HTML, then it means possibility to
inject angle brackets and in my article I'm talking about hardest cases,
where using of angle brackets is not possible.

> there are plenty of ways (many of them easier or more flexible than this)
> you can get it to run Javascript

Yes, in other cases there can be used other XSS attack vectors. But I'm
talking about hardest cases, where only using of events of html objects are
possible. As I clearly wrote about it in my article. Here is a quote from
the article:

It's possible to intercept onMouseOver events in Cross-Site Scripting
vulnerabilities, when other vectors of XSS attacks are impossible at the
site. For example, in case of filtration at the server or using of WAF.

So in such rare cases, when you can only use events of html objects for
attack, you can use MouseOverJacking technique instead of common XSS attack,
to conduct this XSS attack automatically.

Also in my article I wrote that MouseOverJacking can be used for other
attacks (DoS, CSRF and others).

> None of this is considered particularly novel at this point.

All of attack vectors mentioned by you are known to me for a long time. It's
known XSS attack vectors. As I said, MouseOverJacking can be used in hard
cases (when other automated XSS attacks are not possible), to make
automation of such attack.

Besides, as I see from conversation with different people about
MouseOverJacking (including you), people didn't see the possibility of using
this attack technique not only in rare cases, but in more widespread cases
of XSS attacks. As I hinted about it in my article ;-). So at the end of
December I decided to make a new article with description of wider use of
MouseOverJacking for XSS attacks. And I'll write it soon.

P.S.

> - Embedded objects (say, Flash, using ExternalInterface)

Or Flash with getURL.

About XSS attack via Flash I have another article - XSS vulnerabilities in 8
millions flash files (http://websecurity.com.ua/3789/). Which you can read.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Andrew Farmer" <andfarm () gmail com>
To: "MustLive" <mustlive () websecurity com ua>
Cc: <full-disclosure () lists grok org uk>
Sent: Thursday, December 31, 2009 7:15 AM
Subject: Re: [Full-disclosure] MouseOverJacking attacks


On 29 Dec 2009, at 13:48, MustLive wrote:
> Recently, 26th of December 2009, I wrote the article MouseOverJacking
> attacks (http://websecurity.com.ua/3807/), and today I
> wrote English version of it (http://websecurity.com.ua/3814/).

Hardly news. If you can inject arbitrary HTML into a web page, there are
plenty of ways (many of them easier or more flexible than this) you can get
it to run Javascript:

- <script> tags, obviously

- Binding other events that'll trigger without an event, like onLoad

- CSS (either inline, in a <style>, or loaded from another site with <link
rel="stylesheet">) containing any of:

  * Background images loaded with the javascript: protocol
  * expression() (MSIE only?)
  * -moz-binding

- Embedded objects (say, Flash, using ExternalInterface)

None of this is considered particularly novel at this point.=

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/