« Periodic Blurbs | Main | Cross Environment Hopping »

June 17, 2008

Comments

Ory Segal

Hi,

Here are a few interesting remarks, which we did not include in the post:

1) The JavaScript code flow manipulation presented in the post, will not work in Firefox 2.0 (haven't tested this on other versions). The problem is that Firefox doesn't allow the child IFrame to set the propery _ie_firstload of the parent to any value. This is of course a secure (proper) behavior on Firefox's account.

2) There is another JavaScript code flow manipulation opportunity here, which is very amusing. Instead of diverting the JavaScript code into the ELSE block (the attack that was described in the blog post), we can let it flow into the IF block (by not creating a child IFrame called "_ie_firstload"). At this point, the JavaScript interpreter will run the line:

parent.BrowserHistory.setBrowserURL(url);

In order to manipulate this code flow, we can do the following:

a) Create a child IFrame at the (malicious) parent level, which is called "BrowserHistory", and which source points to another malicious page that we control on www.evil.site.

b) Create some page on the malicious web site, which contains yet another IFrame, called "setBrowserURL".

It appears that IE will be tricked the same way. This time, it is tricked to think that parent.BrowserHistory.setBrowserURL is a method, while in reality, it is an IFrame inside an IFrame.

(BTW - you would expect that IE will enforce the Same Domain Policy, since when you look at this from a JavaScript perspective, you are basically trying to access a JavaScript method, which should be limited to the same domain. If that was the case, we could've set the SRC attribute of the second IFrame to 'www.vuln.site' -- but hey, IE made life easier for us)

We wanted to use this technique in order to succeed in exploiting this DOM-based XSS on Firefox (by avoiding the problem mentioned in #1 above), but alas , Firefox throws an exception, saying that it does not have permissions to get the property parent._ie_firstload.

So to sum things up - in Firefox, if the IFrame exists, you can't trick FF to set a value to it (it doesn't get tricked by the "I'm an IFrame, but you can call me 'JavaScript Object'"), and if the IFrame doesn't exist, the it doesn't matter, since you can't even access the value in the IF condition.

Prasad Shenoy
Ory Segal

@Prased - you are right. Thanks for pointing that out.

coco

The comments to this entry are closed.

Follow us on Twitter

AppScan Free Trial


Try IBM Security AppScan software at no charge.

Become a Fan