tag:blogger.com,1999:blog-13756280.post7064036106374723198..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Review of the Subverting Ajax white paperJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-13756280.post-13146849426133702892007-05-25T14:14:00.000-07:002007-05-25T14:14:00.000-07:00Mostly limited to Adobe PDF I would think. No wide...Mostly limited to Adobe PDF I would think. No widely accepted convention around that I know of.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-30277058277962428142007-05-25T14:12:00.000-07:002007-05-25T14:12:00.000-07:00When do I have to call XSS UXSS ? Or is it only "l...When do I have to call XSS UXSS ? Or is it only "limited" to Adobe PDF attacks ?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-87250995339602140012007-01-11T10:14:00.000-08:002007-01-11T10:14:00.000-08:00From Amit Klein:
"I must say that this attack dir...From Amit Klein:<br /><br />"I must say that this attack direction isn't quite new. My work on IE (and other people's work on Firefox) demonstrated this same technique, more than one year ago. My paper about this is even referenced in the Di-Paola paper - as [19] Amin Klein,'IE + some popular forward proxy servers = XSS,<br />defacement (browser cache poisoning)',<br />http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00140.html<br /><br /><br />But as you can see even from my paper's title, XSS is already there (Universal XSS, it should probably have written). And from my intro:<br />In this write-up, I demonstrate how the security issue discussed in [1] can be exploited to force an XSS condition and/or a browser cache poisoning condition in IE 6.0 SP2, provided it is configured to use a forward proxy server<br /><br />So Di-Paolo et al. didn't really invent this attack - they used mine, and wrapped it with their prototype "framework" (somewhat similar to Rager's XSS proxy, and your IFrame trick)."Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-48207271850578742502007-01-09T04:35:00.000-08:002007-01-09T04:35:00.000-08:00Excellent write up. As for the HRS attack, at tha...Excellent write up. As for the HRS attack, at that point, you're REALLY looking for individuals at that point. The combination of proxies/HTTP servers that are susceptible to HRS is REALLY slim. In my work, because it's so hard to even say "Well, XYZ forward proxy and your webserver match...", we've stopped referring to it as HRS altogether and just call it header injection, which we actually find to be much more dangerous (or at least effective) on an individual scale.<br /><br />It is very good to know that there are really sharp people out there researching and publishing their findings, rather than just exploiting them.<br /><br />And you made one point here that really, really needs to be emphasized - this doesn't change that our developers need to find and fix all the same vulnerabilities - in this case XSS and header injection. In AJAX websites, request fingerprinting doesn't hurt, either (although in the first example, I don't see it as much help, either).Will Stranathanhttps://www.blogger.com/profile/07533170385996088112noreply@blogger.com