What is inside of an object in my browser? What about you?
I’d written a simple JavaScript code in order to list the content of an HTML object. Now, I want to share it with you as well. Although in Mozilla Firefox it is not as good as FireBug, it is very simple and makes life easier! Moreover, it is very useful to get some ideas about misusing the DOMs for example to bypass the Same Origin Policy or even for Steganographic purposes. However, I do not advise you to use this JS code to steal users’ HTML objects in case of having an XSS in an application as you can write a faster and more reliable code for any special target.
So, it is just a code for playing in order to gain more experience and also having fun with DOMs. Please cite me or let me know if you find anything interesting by using it.
Click here for the demo and the code: http://0me.me/demo/tricks/DOM_Obj_Browse.html
Save it, Modify it, Enjoy and please do not forget me ;)
از این کد می توانید به منظور دیدن تمامی objectهای موجود در یک صفحه HTML استفاده کنید. این کد به شما کمک خواهد کرد تا شناخت بیشتری نسبت به اشیا موجود به دست بیاورید. حتی ممکن است بتوانید به کمک آن SOP را بایپس کنید یا از آن برای پیدا کردن ایده برای نهان نگاری (Steganography) استفاده کنید. لطفا در صورت یافتن اطلاعات جالب و یا آسیب پذیری مرورگرهی وب مرا نیز در جریان تحقیق خود قرار دهید. موفق باشید.
In this paper, I want to represent a method for performing Cross Site URL Hijacking (which we can call XSUH) by using the error object of Mozilla Firefox. XSUH attack is used to steal another website URL. This URL can show the client’s situation on that website, and it can contain confidential parameters such as session ID as well. There is another useful article with a similar purpose but with a different approach which is “XSHM” article of CHECKMARX , and reading this article is highly recommended to you as well.
As you might know, scripts error handling in Mozilla Firefox is quite useful for the developers as it can show the exact source of an error with some useful information. Now, this functionality can be misused to divulge the destination URL after the redirections (XSUH attack) which can lead to condition leakage or stealing some important parameters from the URL.
Download From Here: http://soroush.secproject.com/downloadable/XSUH_FF_1.pdf
Or Here: http://0me.me/demo/XSUH/XSUH_FF_1.pdf
Proof of Concept: http://0me.me/demo/XSUH/XSUH_demo_firefox_all_in_1.html
Note: This technique has been tested on Mozilla Firefox 3.6.3, 3.5.9, 3.6.4build5 (26th May 2010).
One of the first steps of a black-box penetration testing of a website is mapping its files and directories. And in order to do that, security scanners crawl into the website first, and then try to guess the possible directories and files. These scanners use the response header or body of the page to investigate a valid file or directory. For instance, the header status “404” can be the sign of “File Not Found” and “200” can be the sign of a valid file. Also, the status “403 Forbidden” can be the sign of a valid directory without any index page. However, many websites such as Yahoo, Google, Facebook, Microsoft, and so on do not like to show the “403 Forbidden” errors for a valid directory, and instead, they show a “Page Not found” or another default page to the users. Although this functionality makes the website more user-friendly, it is not good for the scanners at all; as there is no difference between a valid and an invalid directory then.
Therefore, we need something else as a signature to improve the scanners result. And as a solution we can use a “/” as an identifier. In case of requesting a valid directory without adding a slash at the end of it, the web-server will add an slash automatically, and in case of having an invalid directory there will not be any slash at the end of the directory name.
Some examples:
Invalid Directory: http://www.microsoft.com/foobars
Valid Directory: http://www.microsoft.com/test
——–
Invalid Directory: http://code.google.com/foobars
Valid Directory: http://code.google.com/js
——–
Invalid Directory: http://www.facebook.com/foobars
Valid Directory: http://www.facebook.com/admin
——–
Invalid Directory: http://uk.yahoo.com/foobars
Valid Directory: http://uk.yahoo.com/private
——–
Cheers,
Soroush Dalili
Some new methods of bypassing file uploaders protections have been discussed. As an example bypassing by using: trailing spaces and dots, “::$data.”, direct Null char, IIS semi-colon bug, and so on.
Uploading files by using web applications is very common. However, there is always a high risk around this matter. In case of uploading a web-shell file which can be absolutely malicious, an attacker can get the same privilege of access as the web application to the server. In this paper, which is mostly around the Windows-based web applications, some general solutions for protecting against this type of attack have been suggested. Moreover, as a proof of concept, some of the most general protection methods and the way of bypassing them have been discussed.
This article is an educational article to improve the security of the web applications. And, the author of this article (“Soroush Dalili”) does not accept and has no responsibility about the content or usage of this article in any other way. Any other usage of this article except the legal ones is completely prohibited.
Please respect the copyright and mention the name of the author (“Soroush Dalili”) in case of using this article.
Download this article by clicking here. (http://soroush.secproject.com/downloadable/Improve File Uploaders’ Protections.pdf)
Iframe delay in loading the local drives in IE7 and IE8 can cause drive list enumeration!
Proof of Concept is available from this link:
http://plaincipher.com/demo/IE-Drive-Enum-Demo.html
Cheers,
Soroush Dalili
Twitter
LinkedIn