« September 2011 | Main | November 2011 »

October 2011

October 24, 2011

JSON-based XSS exploitation

JSON rendering in Internet Explorer

In the world of Web2.0 and mash web applications, security researchers come across more and more XSS vulnerabilities that are reflected in non HTML responses.
For example, JSON responses are becoming more and more common, but exploiting XSS vectors in those pages is considered theoretical because browsers pop up the file download dialog instead of rendering the response when the returned content-type is application/json or application/javascript.

There are a few known methods to indirectly exploit these issues:

 

1. Attacking the JSON parsing mechanism:
Some applications use JS evaluation functions in order to create an object from the returned JSON content. If the attacker is able to inject, for example, a quote sign, he can break out of the JS string surrounding the value and exploit the XSS through the eval function. For example:

"name":"Foo "+alert(/XSS/.source)+"Bar"

Continue reading "JSON-based XSS exploitation" »

Posted by on October 24, 2011 | | Comments (2) | TrackBack (0)

| |

October 18, 2011

DNS poisoning via Port Exhaustion

Today we are releasing a very interesting whitepaper which describes a DNS poisoning attack against stub resolvers.

It discloses two vulnerabilities:

  1. A vulnerability in Java (CVE-2011-3552, CVE-2010-4448) which enables remote DNS poisoning using Java applets. This vulnerability can be triggered when opening a malicious webpage. A successful exploitation of this vulnerability may lead to disclosure and manipulation of cookies and web pages, disclosure of NTLM credentials and clipboard data of the logged-on user, and even firewall bypass.
  2. A vulnerability in multiuser Windows environments which enables local DNS cache poisoning of arbitrary domains. This  vulnerability can be triggered by a normal user (i.e. one with non-administrative rights) in order to attack other users of the system. A successful exploitation of this vulnerability may lead to information disclosure, privilege escalation, universal XSS and more.

The whitepaper can be found here.

A few video demos of our Proof-of-Concept:

  1. Attack: Remote DNS poisoning via Java Applets: Cookie theft.
    Environment: Ubuntu 11.04, Firefox 7.0.1. Movie link  
  2. Attack: Remote DNS poisoning via Java Apples: NTLM credentials and Clipboard theft.
    Environment: Windows 2008, Internet Explorer 9.  Movie link
  3. Attack: Remote DNS poisoning via Java Applets: Firewall bypass.
    Environment: Windows 2008, Firefox 7.0.1. Movie Link
  4. Attack: Local DNS poisoning via port exhaustion. Movie link
    Environment: Windows 2008. 

We would like to thank Oracle and Microsoft for their cooperation.

-Roee Hay and Yair Amit

Posted by on October 18, 2011 in Research | | Comments (0) | TrackBack (0)

| |

October 11, 2011

Google App Engine Code Execution Vulnerability (CVE-2011-1364)

We have recently identified an interesting code execution vulnerability in the Google App Engine SDK for Python. By combining a CSRF vulnerability in the administration web UI, with some other vulnerabilities we found in the Google python libraries, a remote hacker could gain remote code execution privileges on victim's machine. This vulnerability affects all operation systems running Google App Engine SDK for python (i.e. Windows, Mac OS, etc.).

The full advisory can be found here.

As always, Google has been very quick with fixing the issue. According to the company, the fix was provided in version 1.5.4, which was released on Sep 12th.

 

Posted by on October 11, 2011 in Web Application Security | | Comments (0) | TrackBack (0)

| |

Follow us on Twitter

IBM Application Security Insider
IBM Application Security Insider

AppScan Free Trial


Try IBM Security AppScan software at no charge.

Search

Recent Posts

Archives

Categories

Pages

Become a Fan