Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How robots and spiders are causing issues, how to stop them. We can also talk about Completely Automated Public Turing Test To Tell Computers And Humans Apart - their use, their compliance issues, porn proxies, PWNtcha and other ways to defeat them. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSSing the CAPTCHA away
Posted by: maluc
Date: October 31, 2006 01:09PM

so let's say you find an XSS hole on a site. Since i love to pick on them, lets use myspace as the example. For example, say the attackers goal is to change the users password in their settings, but the change pass form is captca'd. With the XSS you have access to the DOM and to pull pages - but how does one offload that dynamic CAPTCHA image to another place.
Example:
<img name="humantest" src="myspace.com/captcha.php">
That php returns a gif.

Would using a XMLHttpRequest to myspace.com/captcha.php and offloading the request.responseText work? But i think that image will be different than the one shown on the full page. Anyone know of successful methods?

-maluc

Options: ReplyQuote
Re: XSSing the CAPTCHA away
Posted by: WhiteAcid
Date: October 31, 2006 01:54PM

In a well coded system you would get a different image to what is shown on the full page. This is a good question, one I can't see an obvious solution for.

One crappy solution I can think of is that instead of doing the XSS without them knowing about it, make the XSS create a page saying that it'll give away free porn. All the user has to do is certify they're over 18 and that they're not a bot. As part of that they'll fill in the CAPTCHA which is actually for the myspace password form and the submit button will then actually change their password, and also give them free porn if you're kind.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: XSSing the CAPTCHA away
Posted by: maluc
Date: October 31, 2006 02:16PM

well thats only really useful for stateless CAPTCHAs (like spamming wordpress blog comments) and for social engineering. I agree that you can open up a full frame on evil.com taking up 100% of the page, which actually points to myspace.com/changpass?currentpass=<script+src=evvil.js></script>. The url in the address bar will still say evil.com and noone will be the wiser. But it still requires user action. So i'm wondering if theres a way for 100% success rate by using automated ways instead. (sometimes people just aren't in the mood for pron :/ )

-maluc

Options: ReplyQuote
Re: XSSing the CAPTCHA away
Posted by: WhiteAcid
Date: October 31, 2006 04:35PM

Well.. afaik there's no way to read the data for an image via the DOM and there's no guarantee that the next time you load the image it'll be the same, so I can't see any way to OCR the image.

Have a read of this http://blogs.securiteam.com/index.php/archives/208 and see if that helps. But I can't see how you can guarantee that will work.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: XSSing the CAPTCHA away
Posted by: maluc
Date: October 31, 2006 05:19PM

ya, that again only helps for CAPTCHAs on stateless pages. i.e. doesn't help for CSRF.

-maluc

Options: ReplyQuote
Re: XSSing the CAPTCHA away
Posted by: rsnake
Date: October 31, 2006 08:13PM

There are many systems that serve the same CAPTCHA over and over to whatever cookie you gave to them. If you can pull the credentials you can replay the cookie. Even more systems use dynamically built images based off the URL string like captchaimage1l5kjslkjgvijas.jpg so as long as that is pulled by the remote server it's fine, you just need to get that image name passed off to the remote server so your porn proxy can solve it and return the data by JSON or something similar once it's solved. This is definitely doable with most systems once you have XSS on the page. :)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.