tag:blogger.com,1999:blog-13756280.post6479078210720633616..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: I know if you're logged-in, anywhereJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger24125tag:blogger.com,1999:blog-13756280.post-57509119844016423712010-04-29T05:43:15.912-07:002010-04-29T05:43:15.912-07:00It doesnt work for me linux ff 2.0It doesnt work for me linux ff 2.0ilannoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-76504989517643485932009-03-24T03:08:00.000-07:002009-03-24T03:08:00.000-07:00nice fix, you saved me some time :)nice fix, you saved me some time :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-54497402000030948112007-01-04T14:24:00.000-08:002007-01-04T14:24:00.000-08:004 of those tests pop a cookie notification (or 2) ...4 of those tests pop a cookie notification (or 2) for those of us who have it turned on. I might wonder why MSN suddenly wants to leave a cookie when I'm looking at Wikipedia (or whatever). Still a great hack, but not always invisible. (and it missed my Gmail login, too)Unknownhttps://www.blogger.com/profile/11809245215725709714noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-73675224407196362812006-12-30T16:56:00.000-08:002006-12-30T16:56:00.000-08:00does not work for me (ff 2.0 linux)does not work for me (ff 2.0 linux)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-54307395668672434092006-12-19T02:12:00.000-08:002006-12-19T02:12:00.000-08:00Not sure if an error output interception would be ...Not sure if an error output interception would be any good as the entire process is client-side...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-88120064774721922472006-12-15T08:10:00.000-08:002006-12-15T08:10:00.000-08:00pdp, yah this is going to be a tough one to figure...pdp, yah this is going to be a tough one to figure out how to defend in the browser, and technically speaking, JavaScript isn't the only thing expected to be script src'ed in. For example, E4X. Which is going to open up a whole new can o' worms.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-49369167950268520972006-12-15T01:43:00.000-08:002006-12-15T01:43:00.000-08:00Hi!
Thanx, you're of course right - return value ...Hi!<br /><br />Thanx, you're of course right - return value has to be true not false - twas very late when i read your post ;)<br /><br />Greetings, <br />.marioUnknownhttps://www.blogger.com/profile/14330403433290118511noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-24869455224334279572006-12-14T23:02:00.000-08:002006-12-14T23:02:00.000-08:00What I really like about this exploit is that it c...What I really like about this exploit is that it can be used as a replacement for the CSS History hack and the interesting thing is that I cannot figure out how someone can prevent attackers from knowing where you are at the moment unless the browser checks the referenced files to make sure they are JavaScriptAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-61413810570748561472006-12-14T17:33:00.000-08:002006-12-14T17:33:00.000-08:00very clever,
I was investigating the matter as we...very clever,<br /><br />I was investigating the matter as well but I have never thought about checking the line numbers that generated the error. <br /><br />good find<br /><br />.mario,<br /><br />you can do that. It works exactly the way you describe it. So you can capture the error as soon as it is generated and cancel the event, then dispatch to the original onerror callback if there is one installed. This way you can make it very stealth. In fact, this is what I did with some subroutines in AttackAPI.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-24922483182115154042006-12-14T15:34:00.000-08:002006-12-14T15:34:00.000-08:00maluc, thank you very much, I try. :)
mario, that...maluc, thank you very much, I try. :)<br /><br />mario, that's a great question, I didn't even really start thinking about defense until I posted. I think your idea might work actually, or at least throw a big wrench into the works. But you want to return true, not false.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-8681116168529572452006-12-14T14:58:00.000-08:002006-12-14T14:58:00.000-08:00This is defntly pretty esoteric but a great idea! ...This is defntly pretty esoteric but a great idea! Is it possible to override this vector by adding an empty default error handler like document.onerror = function(){return false}; ?Unknownhttps://www.blogger.com/profile/14330403433290118511noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-85249755435223890502006-12-14T14:19:00.000-08:002006-12-14T14:19:00.000-08:00simple and awesome..
you never cease to impress m...simple and awesome..<br /><br />you never cease to impress me ^^Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-63715003861345784162006-12-14T13:45:00.000-08:002006-12-14T13:45:00.000-08:00Yeah, I see what you're saying now.
Anyway, the di...Yeah, I see what you're saying now.<br />Anyway, the different signatures are:<br /><br />GMail: XML tag name mismatch (expected link)<br />Line: 8<br />----------<br />Blogger: XML tag name mismatch (expected meta)<br />Line: 1<br />----------<br />Google: XML tag name mismatch (expected a)<br />Line: 91<br /><br />For now anyway. I tested all of the sites listed in the PoC.sadkfnvkasdhvbxzjhhttps://www.blogger.com/profile/10868433311782511257noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-17854904577980510452006-12-14T13:39:00.000-08:002006-12-14T13:39:00.000-08:00I tested in both on OS X, but any number of things...I tested in both on OS X, but any number of things can throw off the signatures. And they aren't that forgiving.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-29614202871518285652006-12-14T13:18:00.000-08:002006-12-14T13:18:00.000-08:00Yeah. You aren't running FF 2.x are you? I disable...Yeah. You aren't running FF 2.x are you? I disabled every extension and it's still giving me expected link ( http://img2.freeimagehosting.net/uploads/1ffc051c4c.jpg ), so it must just be an extra 2.0 feature. I'll go ahead and get the other login_msg's for a 2.0 PoC.sadkfnvkasdhvbxzjhhttps://www.blogger.com/profile/10868433311782511257noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-2590562478621037622006-12-14T12:59:00.000-08:002006-12-14T12:59:00.000-08:00Hey ghozt, I figured there were going to be these ...Hey ghozt, I figured there were going to be these lil issues between browsers. The PoC should stand a rewrite with a bit more scalable if else-if model to compensate. Now that people get the basic idea, I'm sure improvements will be made quickly.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-18531410347082846932006-12-14T12:56:00.000-08:002006-12-14T12:56:00.000-08:00The problem with GMail is that you're missing "(ex...The problem with GMail is that you're missing "(expected link)" after "name mismatch". Change that and it works fine. Google doesn't work either because it needs "(expected a)". It might be an extension causing it since you didn't have this problem Jeremiah. I'll disable a few of them at a time and see what happens.sadkfnvkasdhvbxzjhhttps://www.blogger.com/profile/10868433311782511257noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-33427984290395247242006-12-14T12:52:00.000-08:002006-12-14T12:52:00.000-08:00gRegor, is expected that there will be some stabil...gRegor, is expected that there will be some stability issues with the PoC. If you post the JS console error that your getting, it can be added to he PoC signatures.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-61537737513639765062006-12-14T12:35:00.000-08:002006-12-14T12:35:00.000-08:00This comment has been removed by the author.sadkfnvkasdhvbxzjhhttps://www.blogger.com/profile/10868433311782511257noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-57189216854059220072006-12-14T12:10:00.000-08:002006-12-14T12:10:00.000-08:00dang. the gmail one does not appear to work for m...dang. the gmail one does not appear to work for me? I'm logged into gmail, open in another tab, and the script tells me "not logged in".gRegorhttps://www.blogger.com/profile/11715872271877858674noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-11099697889767964912006-12-14T11:40:00.000-08:002006-12-14T11:40:00.000-08:00Clever. :-)
This should make for some more intell...Clever. :-)<br /><br />This should make for some more intelligent CSRF attacks.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-90865465882682677042006-12-14T09:48:00.000-08:002006-12-14T09:48:00.000-08:00Thanks guys. Just inching the capabiliies a little...Thanks guys. Just inching the capabiliies a little bit further.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-74664029351641271042006-12-14T09:21:00.000-08:002006-12-14T09:21:00.000-08:00Brutal. Makes those "oh noes!" scenarios of XSRF a...Brutal. Makes those "oh noes!" scenarios of XSRF attacks that are both broadly targeted and of a serious nature a lot more plausible.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-77934913170256286112006-12-14T09:11:00.000-08:002006-12-14T09:11:00.000-08:00Excellent find Jeremiah!
wow, pretty crazy approa...Excellent find Jeremiah! <br />wow, pretty crazy approach i never thought of... :)Anonymousnoreply@blogger.com