Ynnuf Ffuts
I just played around with some special characters as I stumbled across this. If you insert into some text, from that point the order of the following characters will be reversed. As far as I can see this has no security implication, since tags are still interpreted in the “right” direction, but this can be very annoying whatsoever and depending on the way the page is written might even kind of deface it. The effect applies on all characters after the this “special character”, that are in the same DOM text element. Well this is not really accurate, because the Source Code gets all converted from that point on, at least in Firefox.
So here is a small example what this looks like…
Popularity: unranked [?]
Advanced Voodoo
You are interested in theoretical computer science? You are more into mathematics than simple multiplication. Then this is going to be interesting for you.
George, the brain, is now blogging and sharing his knowledge with us. I am really looking forward to see, when he is going to solve P = NP and the theory of everything. ;)
Popularity: unranked [?]
GI Workshop
A few days ago we submitted a paper to the GI, which is originally a part of an abstract M4z and I did for a seminar. They accepted it, what means it will be printed in their magazine. That alone is nothing too cool, since it is more or less a summary of webbased vulnerabilities, but the really cool thing is, that we will be going to Bonn from the 29th to the 31st of March for a workshop at the Informatiktage 2007. And getting even better, the journey as well as the hotel will be getting paid.
We could choose between several different topics. I clearly decided to attend “Security in Online-Banking”, since it was the only security related.
It seems to be held by someone who is at least related to the “Sparkasse” and I am really interested in their point of view. The Haspa, which is Hamburgs branch of the Sparkasse, needs javascript activated to even be able to reach their online banking service. I do not get why they are doing this?! It does not look too security concerned to me. Well they got TANs, so it is not all that easy to ride the session and transfer money to my own account. But there may be other things, that could be modified. And moreover this urges even security aware people to activate javascript and therefore being vulnerable to potential XSS vulnerabilites.
I guess I will be looking what may be done with Session Riding on their site before then. Perhaps I also find some XSS possibility, but this does not appear too likely after a first look.
If you got something similar or even found already a vulnerbaility, please let me know. Maybe it will arise a bit more of their attention when someone is discussing it with them in person.
However, none the less I am really looking forward to this.
Popularity: unranked [?]
Massmail - XSS For The World
I just mailed most of the websites I found XSS vulnerabilities on. I will give them about a week to respond and then publish the list.
By the way, while collecting the mail addresses to inform them I tried to find out an email address of anyone responsible for something at aol.com, but their page is that well organized that I could not find any. Most of the time they wanted me to log in. But why should I register to an obviously vulnerable website. Thus they got left out.
Popularity: unranked [?]
UTF-7 Stuff
A few days ago I got a link from Martin Johns (this) and started playing around with this.
A scenario for this is: you got a page where everything between < and > is filtered out. It seems to forbid the inclusion of <script> blocks. But here is the clue. If the page does not define a charset, neither in the header, nor by a meta tag, we may load the page within an iframe on a page which charset is set to UTF-7 and this way having not < or >, but +ADw- and +AD4- circumvents the filter.
I got some code working, which exploits this here. You may want to see the page here, that will be loaded into the iframe, before you look at the link, since firefox saves the overwritten charset for that page and will view the content with the charset set to UTF-7 and this way executing the javascript. To reset it just clear your browser chache.
Since I do not have a second domain at the moment and could not find a page, which does not set the charset, I could not test what happens if an alien domain is loaded inside the iframe.
While looking for a page, that does not define a charset, I found something else which seems like a fixed issue. On pages where the charset is not defined in the header, but in a meta tag, there should be no charset defined on pages that are generated by the webserver itself. But too bad, someone else must have found that before, because in 404 error pages, which at least generated by Apache show the string of the wanted page, now magically have a charset defined in the header. If you got another idea how a webserver may be tricked into generating a page without a charset, I would love to know.
Popularity: unranked [?]
Hello World
This is the first entry in my obviously new blog. If I am not too lazy, I will post here stuff I am playing around with, which will be mostly security related. Other content may be things I experience or discover and is in my opinion mentionable.
Popularity: unranked [?]