Jul 01
Download this advisory from: http://soroush.secproject.com/downloadable/IIS5.1_Authentication_Bypass.pdf
or: http://0me.me/demo/IIS/IIS5.1_Authentication_Bypass.pdf
Description:
Although IIS5 is very old, finding one is not impossible! Therefore, I want to introduce a technique to bypass the IIS authentication methods on a directory.
This vulnerability is because of using Alternate Data Stream to open a protected folder.
All of IIS authentication methods can be circumvented. In this technique, we can add a “:$i30:$INDEX_ALLOCATION” to a directory name to bypass the authentication.
In a protected folder such as “AuthNeeded” which includes “secretfile.asp”:
It is possible to run “secretfile.asp” by using:
“/AuthNeeded:$i30:$INDEX_ALLOCATION/secretfile.asp”
Instead of:
“/AuthNeeded/secretfile.asp”
More description:
Why IIS6 and 7 are not vulnerable:
- In these versions, IIS does not accept colon (“:”) character from the URL before the querystring.
Why we cannot use “::$Data” in IIS 5.1 anymore:
- IIS rejects the request if its URL contains “::$” (before querystring).
Why IIS5 is vulnerable to “Directory Authentication Bypass” by using “:$I30:$Index_Allocation”:
- IIS only verifies the directory name to check for authentication. Therefore, we can use “http://victim.com/SecretFolder:$I30:$Index_Allocation/” instead of “http://victim.com/SecretFolder” to bypass the authentication.
Is it possible to bypass something else by using “:$I30:$Index_Allocation” on a NTFS partition:
- If a checking is only based on the directory name, it can be bypassed by using this method.
Download this advisory from: http://soroush.secproject.com/downloadable/IIS5.1_Authentication_Bypass.pdf
or: http://0me.me/demo/IIS/IIS5.1_Authentication_Bypass.pdf
Jun 30
I need to translate this word first:
Carzy Browsers = Crowsers
Now, I want to share some odd behaviour of browsers with you. Let’s make them Crazy!
1- First, we load a URL in an IFrame. Then, we load another website on the same frame. Now, by using “javascript:window.history.go(0)”, it will change the IFrame SRC to the first URL, but it keeps the 2nd website on the IFrame!
Try it here: http://0me.me/demo/crowzers/irsdl/addressbar_halt.html
Which Browsers?
- Mozilla Firefox 3.6.6
- IE7
- IE8
2- We want to lock the address bar in different browsers by using “onblur” and “onload” events with “this.focus()”.
Try it here: http://0me.me/demo/crowzers/irsdl/iframe_src_fool.html
Which Browsers?
- Mozilla Firefox 3.6.6
- IE7
- IE8
- Opera 10.54
3- We want to stop the browsers from working by using infinite loops and so on.
Try it here: http://0me.me/demo/crowzers/irsdl/halt.html
Which Browsers?
- Mozilla Firefox 3.6.6: Halted with Mozilla Crash Reporter
- IE7: Halted
- IE8: Halted
- Safari 5: Crashed on “javascriptcore.dll”
Good luck!
Jun 30
In Opera Browser, “scrollTop” and “scrollLeft” properties of a frame are accessible through the main page. This may lead to cross site information leakage.
Tested Platform: Opera <= 10.54 AND 10.60 RC (Build 3443)
Proof of Concept:
http://0me.me/demo/opera_scroll_leak/test_scroll.html
UPDATE:
Why is it really an issue?
I think it is one kind of bypassing same origin policy. All other famous browsers are secured against this method.
My point is: If you use “#” character, you can jump to a certain point of page in case having that Element’s ID.
It is shown in my proof of concept if you look at:
I used two URLs with different Element IDs to collect the user’s information from Facebook:
First, by using the following URL, I can check if the user is logged-in in facebook. It will jump to “#pass” point which is only available in case of having login form at the top of the page.
Then, as there is a SMS subscription on the Opera Browser Wall (http://www.facebook.com/Opera) when you are the fan, I can find it out by using “#sms_status_subscribe” in the following URL:
And that’s why…!
May 30
What is inside of an object in my browser? What about you?
I’d written a simple JavaScript code in order to list the content of an HTML object. Now, I want to share it with you as well. Although in Mozilla Firefox it is not as good as FireBug, it is very simple and makes life easier! Moreover, it is very useful to get some ideas about misusing the DOMs for example to bypass the Same Origin Policy or even for Steganographic purposes. However, I do not advise you to use this JS code to steal users’ HTML objects in case of having an XSS in an application as you can write a faster and more reliable code for any special target.
So, it is just a code for playing in order to gain more experience and also having fun with DOMs. Please cite me or let me know if you find anything interesting by using it.
Click here for the demo and the code: http://0me.me/demo/tricks/DOM_Obj_Browse.html
Save it, Modify it, Enjoy and please do not forget me ;)
از این کد می توانید به منظور دیدن تمامی objectهای موجود در یک صفحه HTML استفاده کنید. این کد به شما کمک خواهد کرد تا شناخت بیشتری نسبت به اشیا موجود به دست بیاورید. حتی ممکن است بتوانید به کمک آن SOP را بایپس کنید یا از آن برای پیدا کردن ایده برای نهان نگاری (Steganography) استفاده کنید. لطفا در صورت یافتن اطلاعات جالب و یا آسیب پذیری مرورگرهی وب مرا نیز در جریان تحقیق خود قرار دهید. موفق باشید.
May 27
In this paper, I want to represent a method for performing Cross Site URL Hijacking (which we can call XSUH) by using the error object of Mozilla Firefox. XSUH attack is used to steal another website URL. This URL can show the client’s situation on that website, and it can contain confidential parameters such as session ID as well. There is another useful article with a similar purpose but with a different approach which is “XSHM” article of CHECKMARX , and reading this article is highly recommended to you as well.
As you might know, scripts error handling in Mozilla Firefox is quite useful for the developers as it can show the exact source of an error with some useful information. Now, this functionality can be misused to divulge the destination URL after the redirections (XSUH attack) which can lead to condition leakage or stealing some important parameters from the URL.
Download From Here: http://soroush.secproject.com/downloadable/XSUH_FF_1.pdf
Or Here: http://0me.me/demo/XSUH/XSUH_FF_1.pdf
Proof of Concept: http://0me.me/demo/XSUH/XSUH_demo_firefox_all_in_1.html
Note: This technique has been tested on Mozilla Firefox 3.6.3, 3.5.9, 3.6.4build5 (26th May 2010).
