Loose source checking - why referer bypass occurs

By YEHG -
Insufficient checking was commonly associated with the flaw that allows bypasses to happen.

This happened when Programmers checks only for "containment" rather than thorough implementation of checking.

Insecure:
public class LooseSourceCheck {
    public static void showExample(String url){

        try{
            if(url.startsWith("http://trustedsubdomain")){
                System.out.print(String.format("Trusted subdomain: ", url));
            }
            else {
                    throw new IOException("Untrusted subdomain: " + url);
            }
        }
        catch(Exception ex){
        }
    }
}
Secure:

 

public class StrictSourceCheck {

    public static void showExample(){

        try{
            String[] approved_hosts = {
                    "trust1.yehg.net",
                    "trust2.yehg.net",
     "trust3.yehg.net",
     "trust4.yehg.net"
            };

            String url = "http://trust1.attacker.net/hack.jpg";
            URL netUrl = new URL(url);
            String host = netUrl.getHost();

            Boolean b = Arrays.asList( approved_hosts ).contains(host);
            if(!b){
                System.out.println("Untrusted domain: " + url);
            }else{
                System.out.println("Trusted domain: " + url );

            }
        }
        catch(Exception ex){


        }
    }
}












































Comments











Post a Comment























Popular posts from this blog









XSS: Gaining access to HttpOnly Cookie in 2012







By


YGN Ethical Hacker Group



-














Image







 Update 2016/02:  We were asked by a lot if this still works.  Shortly after our disclosure, this issue has been patched.   ------     The Background - The Past   Gaining access to  HttpOnly cookie  was first attempted by means of XST,  Cross Site Tracing  vulnerability.   Soon after the popularity of XST, the TRACE method has been disabled by most web servers.  Later, browsers' implementation of XMLHttpRequest also blocked "TRACE" method (i.e.  xmlhttp.open('TRACE', url, true) ].  Later,  a flawed implementation in Firefox's  XMLHttpRequest  which can be used to access set-cookie response header was fixed.         JS Debugger pointing out "TRACE" method as invalid arugment         JS Debugger pointing out "TRACE" method as illegal value   A Sla.ckers.org forum member, LeverOne, posted ways to access HttpOnly cookie through the use of Java API and applet.  I reproduced his techniques. When the first method was tried, the Java Runtime did no








Read more










Jumping out of Touch Screen Kiosks







By


YGN Ethical Hacker Group



-














Image







 Background:   Nowadays, the use of large touch screen kiosks has been prevalent.  They are to replace tradition paper-based brochures and to provide more interactive means to consumers. In restaurants, you can see a variety of food menu that can be accessible in large touch screen LCD monitor.  In your local Telcos, you can see a variety of mobile and Internet subscriptions plans.     Behind these touch screen menus are running standalone or browser-mode Adobe Flash applications which are second-to-none for interactivity and scalablity and ease of update. Data could be pulled from somewhere round their centralized web severs.   Weakness: Jumping out  We cannot use  iKat  at first as we do not have access to any keyboard facility.  However, the trick is no-brainer.   Do long press on any locations and relieve.   You should see the usual Flash context menu like:  Touch "Global Settings".   A web browser window will pop up and redirect to the Adobe URL,  http://www.macromedia.c








Read more