Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
List of ways to perform cross-site requests
Date: February 10, 2008 09:18PM

Does anyone know of a good list for this? I can rattle off a few, but it would be nice if there was a "comprehensive" list.

1. Flash with crossdomain.xml (GET & POST, returns data)
2. Imgs (GET)
3. Iframes (GET)
4. Auto-submitting forms (GET & POST)
5. Script tag (GET, returns data)
6. Link tag with rel="stylesheet" (GET, returns data)
7. Location Header (GET)
8. Meta redirect (GET)
9. Object/Embed tag (GET)
10. Trusted Scripts for Mozilla (GET & POST, returns data)
11. Trusted Zone for IE (GET & POST, returns data)
12. ???

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: List of ways to perform cross-site requests
Posted by: kuza55
Date: February 10, 2008 10:40PM

I have no idea about a comprehensive list, but here's some things I can think of from the top of my head:

style tags, GET, also return data
style attributes (@import), GET, returns data
object tags, GET, returns data (think Flash/Java)
craploads of other tags which support things like background images, sound, etc, GET
Javascript redirects, GET
Refresh header, GET
Location header, w/ 317 status code redirects POST data (cannot alter POST data being sent)
Cross-Domain XHR (GET unless explicitly allowed, returns data)

Is there any particular reason you're looking for such a list?

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: List of ways to perform cross-site requests
Date: February 10, 2008 11:14PM

Ah, those are some nice ones. A few questions, though on some of them:

- For object tags, don't those only return data if you use an exploit?
- Cross-Domain XHR, which implementation are you specifically talking about?

Quote

Is there any particular reason you're looking for such a list?

Not really. What started me off on this journey was we were trying to lock down all potential places where, if sensitive information was exposed, it could be used to form a CSRF attack. However, that only makes the methods that return data "interesting".

From a blackhat perspective, the rest are still fairly useful; they can be used to mount CSRF attacks from other websites (esp. useful if you need a lot of people to hit it) that allow those functions.

But really, it's just for the sake of knowledge! :-)

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: List of ways to perform cross-site requests
Posted by: riahmatic
Date: February 11, 2008 02:56AM

probably a stretch but, some clients will fetch DTD urls.. GET

Options: ReplyQuote
Re: List of ways to perform cross-site requests
Posted by: kuza55
Date: February 11, 2008 03:43AM

Ambush Commander Wrote:
-------------------------------------------------------
> Ah, those are some nice ones. A few questions,
> though on some of them:
>
> - For object tags, don't those only return data if
> you use an exploit?

They return data in the same sense that javascript returns data; you can interact with the object. Admittedly it's not going to get you anywhere unless the Flash file wants to give you data (or leaks it by assuming that the js it interacts with when it called FS_Command or whatever the APi is, is friendly) or exposes an exploitable javascript interface or something (I'm not completely sure on this one, but I think if it has an exploitable interface and you do exploit it you can read LSO's from the site the flash is hosted on, but don't trust me on that.....)

> - Cross-Domain XHR, which implementation are you
> specifically talking about?

Well, the only browser I know of which has implemented it so far is Firefox 3: http://developer.mozilla.org/en/docs/Cross-Site_XMLHttpRequest

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: List of ways to perform cross-site requests
Posted by: Anonymous User
Date: February 11, 2008 10:35AM

Like in:

# by Gareth.

<?xml version='1.0' encoding='us-ascii'?> 
<!DOCTYPE body SYSTEM "chrome://branding/locale/brand.dtd"> 

<body> 
<b>&brandShortName;</b> 
</body> 

Save it as a XML file and it grabs the entity names. 

Tested it on a server and it works fine :) 

If you can grab a dtd with sensitive info and include it in a XML file. You could use XMLHttpRequest to parse the file. You may even be able to include them in a XHTML document.

Options: ReplyQuote
Re: List of ways to perform cross-site requests
Date: February 11, 2008 02:15PM

Quote

I think if it has an exploitable interface and you do exploit it you can read LSO's from the site the flash is hosted on, but don't trust me on that...

Good question. Basically, the question boils down to the context in which the Flash file executes. Unfortunately, I don't know ActionScript, so I can't test. :-)

Quote

Well, the only browser I know of which has implemented it so far is Firefox 3

Ok. The reason I asked was there are a bunch of workarounds for same-origin policy, and they're all called Cross-Domain XHR, even though they're not.

Quote

<!DOCTYPE body SYSTEM "chrome://branding/locale/brand.dtd">

Ooh, nice one. In fact, that opens up a bunch of vectors related to XML:

- xml-stylesheet, especially for XSL data. GET, returns data
- XInclude. GET, returns data. UNTESTED. This actually could be pretty nasty if the browsers don't implement it correctly, because XIncluded data would presumably be accessible to our DOM.
- XSLT with the document() function. GET, returns data. UNTESTED
- XSLT with xsl:include and xsl:import, for XSL data. GET, returns data. UNTESTED
- Entities that resolve to URLs. GET, returns data. UNTESTED
- XLink in a resource context??? GET. UNTESTED

I'm not sure how much browsers implement of these; would be good to test!

In fact, browser based XSLT seems like a time-bomb; it's Turing complete, so it's only a matter of time before it gets exploited.

Also, some languages based in XML have exploitable things:

- script tag in SVG. GET, returns data. UNTESTED
- externalResourcesRequired attribute in SVG. GET, returns data? UNTESTED

Once again, browser support will be the primary issue here.

It might also be a good idea to say what kind of data a method returns. :-)

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: List of ways to perform cross-site requests
Posted by: riahmatic
Date: February 11, 2008 02:39PM

don't forget xml schemas
xsi:schemaLocation="http://www.w3schools.com/note.xsd" GET, returns xml data

Options: ReplyQuote
Re: List of ways to perform cross-site requests
Posted by: riahmatic
Date: February 11, 2008 02:51PM

@Ronald

That would be a neat way to check if someone has an extension installed, check for an entity from it's DTD

Options: ReplyQuote
Re: List of ways to perform cross-site requests
Posted by: Anonymous User
Date: February 11, 2008 03:46PM

Yep among other stuff it can, gotta love Firefox the browser that makes it all possible.

Options: ReplyQuote
Re: List of ways to perform cross-site requests
Posted by: riahmatic
Date: February 11, 2008 11:52PM

rdf:resource attributes, GET, returns data

edit: It's safe to say that most clients who read arbitrary XML attributes that utilize URLs could be susceptible to CSRFs. A friend's VoiP setup that uses an XML config file to grab images comes to mind.



Edited 1 time(s). Last edit at 02/14/2008 05:44PM by riahmatic.

Options: ReplyQuote


Sorry, only registered users may post in this forum.