Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Who's got it? Who's giving it away? How to protect your privacy and steal it from other people. For intellectual privacy, personal privacy, and blackhats alike... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
HTTP 204
Posted by: Ivan
Date: May 24, 2007 10:35AM

Hello there,

Past few days I was auditing one site and find that some locations return "HTTP 204 No Content" response.

From RFC: " ... If the client is a user agent, it SHOULD NOT change its document view from that which caused the request to be sent. ...".

And I got one idea for phishing scenario:

User is on some page that have real href link to another page (on domain that someone wants to phish) that returning 204. When user click on that link we can hook action with onClick and show new page with inerHTML or something like that. User will be phished if he doesn`t look at address bar.

Or, we can say user to paste url in adress bar and with some trigger (onmouseover and some time counting) switch page.

It is not perfect method but it is interesting, we have possibility to exploit 204 response if we have nothing else. And the questions are: What You thing about this? Did someone see something like this, somewhere ?

Regards,
Ivan

http://www.security-net.biz/



Edited 1 time(s). Last edit at 05/24/2007 11:17AM by Ivan.

Options: ReplyQuote
Re: HTTP 204
Posted by: ma1
Date: May 24, 2007 01:41PM

Ivan Wrote:
-------------------------------------------------------
> When user click on that
> link we can hook action with onClick and show new
> page with inerHTML or something like that. User
> will be phished if he doesn`t look at address bar.

Maybe I'm missing something, but if you do your magic in the onclick hander and then return false (or your replace the href attribute with "#" before returning), don't you produce the very same effect, with or without the 204 response?

And if you really rely on user not looking at the location bar, why don't you simply navigate to your phishing page from the onclick handler?

OK, people falls for phishing a lot more than one could believe, but this one doesn't add that much IMHO.

But I'm probably missing something...

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: HTTP 204
Posted by: kuza55
Date: May 25, 2007 01:03AM

Interesting find, but I can't think of how this could really be useful atm, when the Html Only Password theft was possible by setting the attribute to an off-site location, this could have been very useful, but atm, Firefox is still vulnerable, but in such a way that this won't help.

And like mal said; if users aren't looking at the URL, they can just get phished in the usual way.

Options: ReplyQuote
Re: HTTP 204
Posted by: Ivan
Date: May 25, 2007 05:23PM

It is not some big "magic", but it is a just a new way ... Thanks for replys.

http://www.security-net.biz/

Options: ReplyQuote
Re: HTTP 204
Posted by: Ivan
Date: May 29, 2007 01:14PM

Btw, where is good place to use HTTP 204 ? Where You find it ?

Thanks,
Ivan

http://www.security-net.biz/

Options: ReplyQuote


Sorry, only registered users may post in this forum.