tag:blogger.com,1999:blog-13756280.post2921938531985856687..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: XST sorta Lives! (Bypassing httpOnly)Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-13756280.post-40643801422626858012009-11-21T14:11:00.141-08:002009-11-21T14:11:00.141-08:00Who knows where to download XRumer 5.0 Palladium? ...Who knows where to download XRumer 5.0 Palladium? <br />Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-80564162159818882452008-04-28T05:52:00.000-07:002008-04-28T05:52:00.000-07:00sorry for the reply :(sorry for the reply :(Rafa Sánchezhttps://www.blogger.com/profile/09129204236166177968noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-53718804535740818442008-04-28T05:48:00.001-07:002008-04-28T05:48:00.001-07:00Hi Jeremiah!Thanks for the answer.I obtain the TRA...Hi Jeremiah!<BR/>Thanks for the answer.<BR/><BR/>I obtain the TRACE server response including de "xst:test" parameter i use in the request but not the authenticaton parameters.<BR/>I proved (it´s a proof of concept) with Apache/2.2.3 and the client is Firefox 2.0.0.14.<BR/>This is the code with wich i achieved it (with workmate help out):<BR/><BR/>var l = document.location;var host =l.host.toString();<BR/>var port = 80;<BR/>var addr = new java.net.InetAddress.getByName(host);<BR/>var socket = new java.net.Socket(addr,port);<BR/>var wr = new java.io.PrintWriter(socket.getOutputStream(),true);<BR/>var rd = new java.io.BufferedReader(new java.io.InputStreamReader(socket.getInputStream()));<BR/>wr.println("TRACE / HTTP/1.1 \nHost: " + host + "\nxst:test\r\n");<BR/>wr.flush();<BR/>var lines = "";<BR/>while ((str = rd.readLine()) != null){ lines += str + "\n"; }<BR/>wr.close();<BR/>rd.close();<BR/>Socket.close();<BR/><BR/>I use basic authentication in the server to prove to obtain it in the TRACE reply.<BR/><BR/>I can see the server logs and the TRACE request is in there but nothing else. No authentication parameters anyway. <BR/><BR/>If i knew your mail i could send you more information about my proof of concept. My mail is rafa.sgomez@gmail.com.<BR/><BR/>Thanks very much.Rafa Sánchezhttps://www.blogger.com/profile/09129204236166177968noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-6443432967351192222008-04-18T01:26:00.000-07:002008-04-18T01:26:00.000-07:00Hmm, its possible they changed how the browser beh...Hmm, its possible they changed how the browser behaves with this trick. What distribution/version are you using for testing?Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-72216230269008125102008-04-17T05:14:00.000-07:002008-04-17T05:14:00.000-07:00Last week i visited you blog and it liked me. I fo...Last week i visited you blog and it liked me. I found this post about using XST and javascript to obtain Basic, Dibgest credentials and bypass httponly cookie flag very interesting. I decided to do a proof of concept of your scripts. I done it with some changes but now i have a problem.<BR/>The TRACE request that makes the script is:<BR/>wr.write("TRACE / HTTP/1.1 \n");<BR/>wr.write("Host: " + host + "\n");<BR/>wr.write("\n\r");<BR/>This request doesn´t includes Authorization parameters therefore neither the server response. I mean that if auth credentials headers is out of reach of javascript, we cannot include them in the TRACE request that we send to the server. In consecuence, the TRACE response from the server will not include these Auth parameters.<BR/>You say that "As an additional benefit of XST, attackers can gain access to Basic, Digest, and NTLM Auth credentials located in HTTP request headers and typically out of reach of JavaScript." ¿How can it be possible? Maybe i am wrong or i´m missing something.<BR/><BR/>CheersAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-16051474070324982112007-05-01T13:52:00.000-07:002007-05-01T13:52:00.000-07:00I think Microsoft has just abandoned IE 6 SP2, and...I think Microsoft has just abandoned IE 6 SP2, and just concentrated all their efforts on IE 7, because other than that bug there is also a bug which allows you to view the set-cookie headers as well. And neither of those bugs worked in IE 7 when I tested them.....kuza55https://www.blogger.com/profile/03932544559060480887noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-5142410770109796892007-05-01T07:09:00.000-07:002007-05-01T07:09:00.000-07:00Hey Jordan, the one attack that immediately came t...Hey Jordan, the one attack that immediately came to mind, de-anonymizing, someone had already found that I didn't know about. What I have learned from the exchange though is that there is a lot I don't understand about Java's capabilities in the browser and how JS can interact with it. Along with you line of thinking, perhaps another way to launch a response splitting attack or something like that... I'll have to think a lot about this.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-71743219237384131132007-05-01T07:05:00.000-07:002007-05-01T07:05:00.000-07:00So what tricks could this still be used for? It s...So what tricks could this still be used for? It seems like all the usual attacks against the browser won't work since it's not handling the response, but that it would still be perfectly functional for cache poisoning attacks. No need to even use the trace option. Still have to deal with same-origin though.<BR/><BR/>Maybe that's the other attack still up your sleeve. ;-)Jordanhttps://www.blogger.com/profile/08341608982649448622noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-50186680981240330052007-05-01T00:16:00.000-07:002007-05-01T00:16:00.000-07:00And there it is, in plain english as it were. Than...And there it is, in plain english as it were. Thank Wladimir, good stuff. Another one of those things I don't think many people knew about, including myself.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-79043074597980517302007-04-30T19:30:00.000-07:002007-04-30T19:30:00.000-07:00I just realized that there is an English version o...I just realized that there is an English version of the same document as well: <A HREF="http://webwarper.net/wwantianonymizer.htm#wwaa" REL="nofollow">http://webwarper.net/wwantianonymizer.htm#wwaa</A>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-69656895360196015682007-04-30T17:49:00.000-07:002007-04-30T17:49:00.000-07:00Yes, Java can be used as a de-anonymizer. Here is ...Yes, Java can be used as a de-anonymizer. Here is an example: http://algart.net/system/antianonymizetest.pl<BR/><BR/>More in-depth explanation is at http://webwarper.net/wwantianonymizerru.htm#wwaa (sorry, that's Russian but maybe the machine translation is readable). The whole concept was originally discussed here: http://xpoint.ru/forums/internet/theory/thread/33876.xhtml (yes, Russian again).<BR/><BR/>But Java has its own proxy settings (Control Panel / Java / Network Settings on Windows). The default is "use browser settings" - they probably read Internet Explorer settings for that.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-42878062739387340892007-04-30T17:21:00.000-07:002007-04-30T17:21:00.000-07:00Oh sure, you could use a proxy if you wanted to. W...Oh sure, you could use a proxy if you wanted to. What Im talking about here is trying to de-anonymize a user.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-20825225113197756122007-04-30T17:13:00.000-07:002007-04-30T17:13:00.000-07:00If you want to use a proxy server, you can specify...If you want to use a proxy server, you can specify it by its address. For example, this code fragment uses the SOCKS proxy server at myproxy.example.com to connect to the host login.ibiblio.org:<BR/><BR/>SocetAddress proxyAddress = new InetSocketAddress("myproxy.example.com", 1080);<BR/><BR/>Proxy proxy = new Proxy(Proxy.Type.SOCKS, proxyAddress)<BR/><BR/>Socket s = new Socket(proxy);<BR/><BR/>SocketAddress remote = new InetSocketAddress("login.ibiblio.org", 25);<BR/><BR/>s.connect(remote);Anurag Agarwalhttps://www.blogger.com/profile/00132226679618654350noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-19490381219084068092007-04-30T15:55:00.000-07:002007-04-30T15:55:00.000-07:00Ok, so if this is the case, that Java handles the ...Ok, so if this is the case, that Java handles the entire HTTP request outside the browser, does this mean we can potentially deanonymize browser proxies? I just proxied myself through Paros (HTTP Proxy 8080 preference), then used this method to send a request. Didn't touch the proxy.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-54846278137448542852007-04-30T15:50:00.000-07:002007-04-30T15:50:00.000-07:00You didn't miss anything except the dolt who wrote...You didn't miss anything except the dolt who wrote the post. Argh!Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-86276554969725440392007-04-30T15:45:00.000-07:002007-04-30T15:45:00.000-07:00Nice! I'm a bit confused though -- if Java is doi...Nice! <BR/><BR/>I'm a bit confused though -- if Java is doing the entire connection itself, then you're not really going to be able to get the cookies or the digest credentials are you?<BR/><BR/>If the browser doesn't get into it the process of sending the data, it doesn't send along httpOnly cookies, or other juicy bits that you'd want to get access to, and thus you'd never see them in the trace response, right?<BR/><BR/>I'm sure I'm missing something, but I don't see what yet?Jordanhttps://www.blogger.com/profile/08341608982649448622noreply@blogger.com