Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Interesting validator behaviour
Posted by: Anonymous User
Date: November 30, 2006 11:52AM

Hi!

Ever wanted to know if someone pushed your site through the W3C validator? No? I guess so - but you could if you wanted ;)

If you modify the DOCTYPE of your HTML document and link the definition file to a PHP (or anything else) file on your (or s.o. else's) server, that includes the original DTD, sets the headers properly and after that adds logic like mail(..) or sth else this script is executed on any validation of this site and tells you via mail.

Why I posted this under CSRF? Imagine to use some other stuff than then mail function. My time today is limited due to immense project load so I wasn't able to be more creative but let's see...

Here's an example file: http://mario.heideri.ch/test.html

Greetings,
.mario

Options: ReplyQuote
Re: Interesting validator behaviour
Posted by: rsnake
Date: November 30, 2006 01:39PM

Are you saying you could 301/302 redirect their request to another server based on their IP address and get them to perform an action on another server for you? If not, I'm not quite sure what you're saying.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Interesting validator behaviour
Posted by: rsnake
Date: November 30, 2006 01:41PM

I just performed a quick test and indeed, the validator will not just 301 to other pages on the same domain but cross domains as well. So you could easily use it to trigger an event like hacking another site on your behalf.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Interesting validator behaviour
Posted by: Anonymous User
Date: November 30, 2006 04:36PM

yes - recognized that too. you can perform any kind of request based on their site redirection. i wonder either if that could be combined with petko's backrame channels and if there's any way the validator guys could protect themselves against that kind of vectors. damn http ;)

Greetings,
.mario

Options: ReplyQuote
Re: Interesting validator behaviour
Posted by: rsnake
Date: December 03, 2006 08:16PM

I'm not sure... What do you have in mind? It seems like it's more useful for the stuff like getting Google to hack for you. It may also be useful for other types of probes, but there are probably easier ways to do that.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.