Sunday, December 30, 2007

Bypassing Content-Disposition: attachment for XSS on IE

Well first of all I want to congrats my friend kuza55 because of his talk "Unusual Web Bugs" at 24c3, was a success.

I watched it on the stream, and even do it dropped every 2 minutes, the audio was sort of constant, so I was able to hear it.

So, it was awesome, and he used the stuff that was investigated and discovered lately, so that was a cutting edge talk.

Anyway, I tried to make kuza receive a message for the Q&A, that wasn't able to arrive, when you say that the header Content-Disposition: attachment is a restriction that no one has been able to bypass, well it's bypassable, and I dunno why I didn't told you about this.. anyway..

Suppose that http://www.victim.com/downloads.php?file=999 is a downloader that sends the header: Content-Disposition: attachment, then you can make IE to display the content as "the best guess", by caching it first, like this:

<script src="http://www.victim.com/downloads.php?file=999"></script>
<iframe src="http://www.victim.com/downloads.php?file=999"></iframe>

The iframe will load the cached source, and it will show the best guess IE can make.

I haven't tested this on firefox, sorry, but at least it works on IE 6 and 7.

So, that's mostly all, just wanted to say that..

Greetz!!

Monday, December 24, 2007

Making a Social Network XSS Worm (hi5.com)

Well, the last couple of days I've been playing with hi5.

It's pretty cool, and I found a couple of XSS vulnerabilities.

I reported them to help@hi5.com, security@hi5.com, admin@hi5.com and all the e-mails I found on the domain hi5.com.

Well, they didn't responded.

So, there's a XSS Worm for hi5 on the wild.

The worm is on the following profile (if you visit it throught this domain you wont get infected, the problem lies if you visit it through www.hi5.com domain):

http://xssworm.hi5.com/

I'll alert you that the profile may be deleted by hi5 staff at any time.

I'll give an explanation on how this worm works as soon as it's controlled by the hi5 team, since it doesn't use XHR.. and some people asked me on the past if it is possible to do a worm without XHR.

To the hi5 team: there are a lot of vulnerabilities on your website, if you wish, I could help you with them, just respond the freaking e-mails.

cya!

UPDATE

I've finally been contacted by the hi5 team, we are working on solving the XSS & CSRF vulnerabilties.