Comments on: Cross-protocol XSS with non-standard service ports http://i8jesus.com/?p=75 because arshan's too cheap to license OneNote Wed, 01 Sep 2010 06:10:02 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Week 35 in Review – 2009 | Infosec Events http://i8jesus.com/?p=75&cpage=1#comment-28462 Week 35 in Review – 2009 | Infosec Events Thu, 11 Feb 2010 10:29:00 +0000 http://i8jesus.com/?p=75#comment-28462 [...] Cross-protocol XSS with non-standard service ports – i8jesus.com If the input contains JavaScript, the browser will execute it in the target origin. [...] [...] Cross-protocol XSS with non-standard service ports – i8jesus.com If the input contains JavaScript, the browser will execute it in the target origin. [...]

]]> By: kindle http://i8jesus.com/?p=75&cpage=1#comment-25347 kindle Tue, 17 Nov 2009 02:19:31 +0000 http://i8jesus.com/?p=75#comment-25347 不错的思路 不错的思路

]]> By: Blog :: by Wade Woolwine » Blog Archive » News and Commentary :: by WadeW and You (09/04/2009) http://i8jesus.com/?p=75&cpage=1#comment-20769 Blog :: by Wade Woolwine » Blog Archive » News and Commentary :: by WadeW and You (09/04/2009) Fri, 04 Sep 2009 11:20:19 +0000 http://i8jesus.com/?p=75#comment-20769 [...] Cross-protocol XSS with non-standard service ports from omg.wtf.bbq. File this under “yet another awesome use for XSS”! Seriously, Arshan’s managed to leverage an XSS vulnerability to log into an FTP server (*provided the FTP server is hosted on a non-standard port)! Let’s consider another service that uses plain text to enable client/server communications: SMTP. Now lets consider that quite often, internal SMTP servers don’t (always) enforce authentication and authorization when relaying emails. Finally, consider that most modern business communications happen via email. This really spells disaster above and beyond the usual “Email from the CEO” pranks. What about account brute forcing? I’m glad you asked! Think of the POP3 service that might be exposed on your internal networks to support all those non-Windows folks. Seems like this approach could be used to perform password brute forcing on any service that uses text for client/server interactions. [...] [...] Cross-protocol XSS with non-standard service ports from omg.wtf.bbq. File this under “yet another awesome use for XSS”! Seriously, Arshan’s managed to leverage an XSS vulnerability to log into an FTP server (*provided the FTP server is hosted on a non-standard port)! Let’s consider another service that uses plain text to enable client/server communications: SMTP. Now lets consider that quite often, internal SMTP servers don’t (always) enforce authentication and authorization when relaying emails. Finally, consider that most modern business communications happen via email. This really spells disaster above and beyond the usual “Email from the CEO” pranks. What about account brute forcing? I’m glad you asked! Think of the POP3 service that might be exposed on your internal networks to support all those non-Windows folks. Seems like this approach could be used to perform password brute forcing on any service that uses text for client/server interactions. [...]

]]> By: Cross-protocol XSS with non-standard service ports « Longjidin’s Kg Lengkong to Bukit Lada http://i8jesus.com/?p=75&cpage=1#comment-20632 Cross-protocol XSS with non-standard service ports « Longjidin’s Kg Lengkong to Bukit Lada Wed, 02 Sep 2009 00:47:25 +0000 http://i8jesus.com/?p=75#comment-20632 [...] to Arshan Klik here for More Tagged with: Cross-protocol XSS with non-standard leave a comment « Microsoft IIS FTP [...] [...] to Arshan Klik here for More Tagged with: Cross-protocol XSS with non-standard leave a comment « Microsoft IIS FTP [...]

]]> By: Acidus http://i8jesus.com/?p=75&cpage=1#comment-20611 Acidus Tue, 01 Sep 2009 16:38:00 +0000 http://i8jesus.com/?p=75#comment-20611 Sexy post. My guess is the reason browser don't need HTTP response headers to process a response as a webpage is so they can support HTTP/0.9. These are simply "GET /resource.html" style requests and byte stream responses. No HTTP status codes or headers. http://www.w3.org/Protocols/HTTP/AsImplemented.html Why would a browser process a HTTP/0.9 style response when it made a HTTP/1.1 or HTTP/1.0 style request? The browser has no way of knowing what the server supports. For all it knows it really is talking to a HTTP/0.9 server which accepted the GET request line, ignored the HTTP request headers as invalid requests, and returned an HTTP/0.9 response. Backwards compatibility and all that jazz. Is this all a guess? Yes. If I'm right is this stupid behavior for a modern browser? Indeed. The chance of finding a HTTP/0.9 server is far less than the chance of someone bouncing HTTP through some other text protocol. Sexy post.

My guess is the reason browser don’t need HTTP response headers to process a response as a webpage is so they can support HTTP/0.9. These are simply “GET /resource.html” style requests and byte stream responses. No HTTP status codes or headers.

http://www.w3.org/Protocols/HTTP/AsImplemented.html

Why would a browser process a HTTP/0.9 style response when it made a HTTP/1.1 or HTTP/1.0 style request? The browser has no way of knowing what the server supports. For all it knows it really is talking to a HTTP/0.9 server which accepted the GET request line, ignored the HTTP request headers as invalid requests, and returned an HTTP/0.9 response. Backwards compatibility and all that jazz.

Is this all a guess? Yes. If I’m right is this stupid behavior for a modern browser? Indeed. The chance of finding a HTTP/0.9 server is far less than the chance of someone bouncing HTTP through some other text protocol.

]]> By: arshan dabirsiaghi http://i8jesus.com/?p=75&cpage=1#comment-20605 arshan dabirsiaghi Tue, 01 Sep 2009 15:36:21 +0000 http://i8jesus.com/?p=75#comment-20605 thanks for your comments, sandro, you definitely re-pioneered this area. i never saw your paper before alex pointed it out, and it's a good one. i have a feeling ie will have to update their port list soon with the increased attention. re: HTTP/0.9, was there ever a specification? the first hit on google shows a BNF (sort of) that indicates a status line is required. this is just trivia, anyway. yes, my ftp is no different from anyone else's, but thankfully it runs on port 21 ;) re: *.foo.com. you're right. this means that google -can't- have a publicly accessible ftp/smtp/whatevertp on a non-standard port anywhere on the web - how likely is that? i think an interesting avenue to research would be to see if active script delivered during an SSL handshake could result in any exploitable scenarios. i think that area is just as likely to be vulnerable, but people don't know how to easily intercept that SSL negotiation traffic thanks for your comments, sandro, you definitely re-pioneered this area. i never saw your paper before alex pointed it out, and it’s a good one. i have a feeling ie will have to update their port list soon with the increased attention.

re: HTTP/0.9, was there ever a specification? the first hit on google shows a BNF (sort of) that indicates a status line is required. this is just trivia, anyway.

yes, my ftp is no different from anyone else’s, but thankfully it runs on port 21 ;)

re: *.foo.com. you’re right. this means that google -can’t- have a publicly accessible ftp/smtp/whatevertp on a non-standard port anywhere on the web – how likely is that?

i think an interesting avenue to research would be to see if active script delivered during an SSL handshake could result in any exploitable scenarios. i think that area is just as likely to be vulnerable, but people don’t know how to easily intercept that SSL negotiation traffic

]]> By: Webのセキュリティ努力のゴールにあるのは「絶望」のみ http://i8jesus.com/?p=75&cpage=1#comment-20596 Webのセキュリティ努力のゴールにあるのは「絶望」のみ Tue, 01 Sep 2009 10:52:05 +0000 http://i8jesus.com/?p=75#comment-20596 [...] たとえば今日、Ajaxianのdalmaerが教えてくれた記事には、最近見つかったXSS/XSRFの新しい手口として、ブラウザにHTTPをHTTPでないサーバに送らせ、返ってくるそのコードのリスポンスを解釈させ、実行させる、というやり方が紹介されている(ぼくのこんな短い文を読むよりは、元のこの優れた説明を、アプリケーションのデベロッパ全員が読むべきだ)。このように、日常的な信頼関係につけ込んでユーザをだます新手(あらて)のやり口に、数週間に一回は出会ってる気がする。 [...] [...] たとえば今日、Ajaxianのdalmaerが教えてくれた記事には、最近見つかったXSS/XSRFの新しい手口として、ブラウザにHTTPをHTTPでないサーバに送らせ、返ってくるそのコードのリスポンスを解釈させ、実行させる、というやり方が紹介されている(ぼくのこんな短い文を読むよりは、元のこの優れた説明を、アプリケーションのデベロッパ全員が読むべきだ)。このように、日常的な信頼関係につけ込んでユーザをだます新手(あらて)のやり口に、数週間に一回は出会ってる気がする。 [...]

]]> By: All Tecked Up « Caintech.co.uk http://i8jesus.com/?p=75&cpage=1#comment-20586 All Tecked Up « Caintech.co.uk Tue, 01 Sep 2009 08:09:47 +0000 http://i8jesus.com/?p=75#comment-20586 [...] one Windows Exploit Programming Primer [2 hr video] Segmentation of the Top 100 Sites in the US Cross-protocol XSS with non-standard service ports Download IE 8 and donate 8 meals to charity Performance in Factor, Java, and Clojure Android [...] [...] one Windows Exploit Programming Primer [2 hr video] Segmentation of the Top 100 Sites in the US Cross-protocol XSS with non-standard service ports Download IE 8 and donate 8 meals to charity Performance in Factor, Java, and Clojure Android [...]

]]> By: infinity's status on Tuesday, 01-Sep-09 07:49:12 UTC - Identi.ca http://i8jesus.com/?p=75&cpage=1#comment-20582 infinity's status on Tuesday, 01-Sep-09 07:49:12 UTC - Identi.ca Tue, 01 Sep 2009 07:49:19 +0000 http://i8jesus.com/?p=75#comment-20582 [...] XSS with non-standard service ports: http://i8jesus.com/?p=75 [...] [...] XSS with non-standard service ports: http://i8jesus.com/?p=75 [...]

]]> By: The Almost Hopeless Challenge Of Web Security | Submitter http://i8jesus.com/?p=75&cpage=1#comment-20577 The Almost Hopeless Challenge Of Web Security | Submitter Tue, 01 Sep 2009 07:02:15 +0000 http://i8jesus.com/?p=75#comment-20577 [...] instance, today I read about (via dalmaer of Ajaxian) a newly discovered potential means for XSS and XSRF exploits by forcing a [...] [...] instance, today I read about (via dalmaer of Ajaxian) a newly discovered potential means for XSS and XSRF exploits by forcing a [...]

]]>