Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 

Current Page: 1 of 1
Results 1 - 9 of 9
6 years ago
fjw
I successfully used a JPG+JAR running from Firefox, created with the command: copy /b me.jpg + clock.jar gifar.jpg Edit: looking at your post above, it looks like the JRE is searching for a main class file named "gifar.class", which I am assuming isn't the main class file you wanted. Try specifying the class when you call the applet. I used something like this: <applet code
Forum: CSRF and Session Info
6 years ago
fjw
On a slightly different note, another observation about the GIFAR problem: a ZIP archive may contain arbitrary data not only before the start of the first file, but also at the end of the file, in the form of a "ZIP file comment". My testing with any data in this ZIP file comment lead to the JAR still being executed by the JRE, therefore it is possible not only to have a JAR at the en
Forum: CSRF and Session Info
6 years ago
fjw
kuza55 thanks for your help. It's unfortunate that the content-type of files is ignored when they are called from applets/object/embed, or I could have got around this simply by specifying a content type of application/octet-stream (or a content-disposition of attachment, though that is ignored in even more situations). In an ideal world, no JAR file served as application/octet-stream would be
Forum: CSRF and Session Info
6 years ago
fjw
I think I've found a solution: - Allow all uploads. - Only allow downloads using the POST method, ie as the result of clicking a button. AFAIK an applet tag on another site can never use the POST method to execute an applet. - Exceptions can be made where the file has been scanned and identified as harmless. The downside to this is that download managers won't be able to download th
Forum: CSRF and Session Info
6 years ago
fjw
tx Wrote: ------------------------------------------------------- > @fjw: I will investigate this issues as it > interests me, but I do wonder, is there really a > benefit to allowing users to share jar files? > Would not source packages do just as well? For my application, I would like to provide the general ability for users to upload whatever file they want as an 'attachment
Forum: CSRF and Session Info
6 years ago
fjw
I am developing a custom php app. I have tested serving a jar file with various content-type headers intended to tell browsers it isn't a java file, such as application/octet-stream, even image/gif , but the JVM ignores mine types and will always execute it from the applet tag - presumably using the privileges of my domain.
Forum: CSRF and Session Info
6 years ago
fjw
> With the shown ability of graphic files to include > a payload your options are pretty low, unless of > course you can create some sort of program that > can not only scan, but also clean files that > include payloads.. Scanning for the ZIP/JAR signature is not too much of a problem for me - I already scan file types, although currently only at the start of a file (I'd need
Forum: CSRF and Session Info
6 years ago
fjw
This is precisely the kind of attack that I need to know how to prevent: http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html In that attack, user uploads a JAR file that appears to be a harmless GIF file and is served as a GIF. But Java applets will nonetheless run it as a JAR. Let's say that I want people to be able to upload JAR or SWF files
Forum: CSRF and Session Info
6 years ago
fjw
I have a web application which allows file uploads from untrusted users (think email attachments). The application stores a session identifier in a cookie. What I need to know is how do I prevent these file uploads from being executed (as Flash, or Java for instance) from external sites and thus allowing external sites to gain access to cookies set for my domain? 1. Attacker signs up at m
Forum: CSRF and Session Info
Current Page: 1 of 1