[prev in list] [next in list] [prev in thread] [next in thread]
List: websecurity
Subject: Re: [WEB SECURITY] HOST header exploitation
From: bugtraq () cgisecurity ! net
Date: 2009-04-27 17:05:51
Message-ID: 20090427175108.51778.qmail () cgisecurity ! net
[Download RAW message or body]
Flash will be restricted by the flash socket policy introduced in later versions of \
flash player. This requires the host you wish to connect to to host the socket policy \
file. Socketpolicies are typically not served up via HTTP requiring a daemon to bind \
a TCP socket on the same IP as the other virtualhost you wish to attack.
XHR was a vulnerability that was fixed awhile ago (other unknown holes may exist).
Signed applets will let you do what you want.
<bigpimpin>
I published a paper last month involving host header modification via flash to abuse \
transparent proxies. It touches on how flash operates and can be found at \
http://www.thesecuritypractice.com/the_security_practice/2009/03/socket-capable-browser-plugins-result-in-transparent-proxy-abuse.html \
. </bigpimpin>
A sample socket server with instructions can be found at \
http://www.lightsphere.com/dev/articles/flash_socket_policy.html .
Regards,
- Robert A.
http://www.cgisecurity.com/
http://www.webappsec.org/
>
> Flash & Java will be the best candidates.
> They have socket capability and you can use them to exploit via
> payload like XSRF.
>
>
> On 4/27/09, Matt Hellman <mhellman@taxandfinance.com> wrote:
> > I have an application that is vulnerable to HOST header manipulation.
> > In this case, it's an issue with the authentication framework that
> > eventually appends a session ID to a redirect based on the HOST header.
> > To exploit this weakness, how might an attacker get a victim to submit a
> > request with a crafted HOST header? XHR? Flash? Java?
> >
> > TIA,
> > Matt
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
> > ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> > Join WASC on LinkedIn
> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> >
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic