Search This Blog

seckb*

Weakness, Attack, Exploitation Patterns, and things learnt by YGN Ethical Hacker Group

Subscribe to this blog

Follow by Email

[Book-Review] HTTP Pocket Reference: Hypertext Transfer Protocol

Get link
Facebook
Twitter
Pinterest
Google+
Email
Other Apps

By YGN Ethical Hacker Group - April 17, 2010

A must-have for a quick review when writing web tools.

book-reviews

Get link
Facebook
Twitter
Pinterest
Google+
Email
Other Apps

Comments

XSS: Gaining access to HttpOnly Cookie in 2012

By YGN Ethical Hacker Group - June 23, 2012

Update 2016/02:
We were asked by a lot if this still works. Shortly after our disclosure, this issue has been patched.

------
The Background - The Past
Gaining access to HttpOnly cookie was first attempted by means of XST, Cross Site Tracing vulnerability.

Soon after the popularity of XST, the TRACE method has been disabled by most web servers. Later, browsers' implementation of XMLHttpRequest also blocked "TRACE" method (i.e. xmlhttp.open('TRACE', url, true)]. Later, a flawed implementation in Firefox's XMLHttpRequest which can be used to access set-cookie response header was fixed.

JS Debugger pointing out "TRACE" method as invalid arugment
JS Debugger pointing out "TRACE" method as illegal value
A Sla.ckers.org forum member, LeverOne, posted ways to access HttpOnly cookie through the use of Java API and applet. I reproduced his techniques. When the first method was tried, the Java Runtime did not allow the HTTP TRACE method any more. …

HttpOnly Session ID in URL and Page Body | Cross Site Scripting

By YGN Ethical Hacker Group - June 03, 2012

The Background

We have been seeing authentication session ID appeared in URL Query String/REST URI and page body. The use of session ID in Query String is to enable session tracking for web browsers which disable or do not support browser-based cookie mechanism. This is commonly seen in Java web applications and cookieless mechanism in ASP.net web applications.

From what we have seen so far, the session ID in page body is used as anti Cross Site Request Forgery token or anti-cache parameter though it is not very common.

The Problem

It should be noted that even though developers use the "HttpOnly" session cookie, the above-mentioned leakages of session ID in URL and page body nullify the effectiveness of "HttpOnly" flag. This no doubt leads attackers to gain access to the HttpOnly session cookie via an Cross Site Scripting (XSS) vulnerability as JavaScript can read anything in the page body and URL information.

From Vulnerability to Exploit (Joomla! SQL Injection)

By YGN Ethical Hacker Group - May 18, 2011

James from GulfTech Research and Development coded Joomla! SQL Injection Exploit in Metasploit from SQL Injection to Remote Code Execution

https://docs.google.com/leaf?id=0B5oxcQ53hliTNmZlNGJmODEtNmQ3MC00YWI2LThmMTAtZjUzMGU0OTcxOTNh&hl=en

It works for our previous disclosure of:

http://yehg.net/lab/pr0js/advisories/joomla/core/%5Bjoomla_1.6.0%5D_sql_injection

We thank James for his excellent working exploit that provides Proof-of-Concept for a vulnerability that Joomla! Core Developers think of as Information Disclosure Only.

http://developer.joomla.org/security/news/328-20110201-core-sql-injection-path-disclosure.html

Labels

*nix
anti-csrf-bypass
anti-virus
banking-security
book-reviews
browser-protection
case-studies
clickjacking
cookie
cross-domain

CTF
data-leakage
exploits
false-negatives
fraud-check
giac
httponly
ikat
java
kiosk
layer-8-bad-habits
layer8
malware-spread
mobile-security
mobile-security banking mobile-virus
out-of-box myth
password
password-control
prison-break
redos
remote-management
restriction-bypass
risky-features
sans-institute
secure_coding
security
session cookie
session id
tampering
third-party components
threats
tools
view-state
waf
web-app-security
web-hacking
xss
xss-bypass

Show more Show less