'Re: [WEB SECURITY] HOST header exploitation'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       websecurity
Subject:    Re: [WEB SECURITY] HOST header exploitation
From:       bugtraq () cgisecurity ! net
Date:       2009-04-27 17:05:51
Message-ID: 20090427175108.51778.qmail () cgisecurity ! net
[Download RAW message or body]

Flash will be restricted by the flash socket policy introduced in later versions of \
flash player. This requires the host you wish to connect to to host the socket policy \
file. Socketpolicies are typically not served up via HTTP requiring a daemon to bind \
a TCP socket on the same IP as the other virtualhost you wish to attack. 

XHR was a vulnerability that was fixed awhile ago (other unknown holes may exist).

Signed applets will let you do what you want. 

<bigpimpin>
I published a paper last month involving host header modification via flash to abuse \
transparent proxies. It touches on how flash operates and can be found at \
http://www.thesecuritypractice.com/the_security_practice/2009/03/socket-capable-browser-plugins-result-in-transparent-proxy-abuse.html \
. </bigpimpin>

A sample socket server with instructions can be found at \
http://www.lightsphere.com/dev/articles/flash_socket_policy.html .

Regards,
- Robert A.
http://www.cgisecurity.com/
http://www.webappsec.org/

> 
> Flash & Java will be the best candidates.
> They have socket capability and you can use them to exploit via
> payload like XSRF.
> 
> 
> On 4/27/09, Matt Hellman <mhellman@taxandfinance.com> wrote:
> > I have an application that is vulnerable to HOST header manipulation.
> > In this case, it's an issue with the authentication framework that
> > eventually appends a session ID to a redirect based on the HOST header.
> > To exploit this weakness, how might an attacker get a victim to submit a
> > request with a crafted HOST header? XHR? Flash? Java?
> > 
> > TIA,
> > Matt
> > 
> > 
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> > 
> > 
> > ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> > 
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> > 
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> > 
> > Join WASC on LinkedIn
> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> > 
> > 
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic