[Webappsec] Tacking A Difficult Problem - Solutions
Amit Klein
aksecurity at gmail.com
Fri Apr 20 05:28:49 EDT 2007
Few more comments..
Amit Klein wrote:
> If this is a public site, and people access it through a forward proxy
> (as I've seen several ISPs, universities, etc. force their clients to
> do), or a transparent proxy (ditto), then the attacker doesn't have to
> run malicious code on the client - the attacker can mount the attack
> directly, through the proxy (assuming the attacker has "legit" access to
> the same proxy). That's assuming at least one of the vulnerable scripts
> can be accessed over port 80 (non-HTTPS).
>
> Moreover, even if the attacker cannot access the proxy server (or the
> whose site must be accessed over HTTPS), HTTP Response Splitting can be
> used to elevate an existing XSS problem into something bigger (see the
> paper, pages 21-22).
>
>
And even if the attacker doesn't have direct access to the proxy, he/she
can force the client to conduct the attack, using Flash ("Sending
arbitrary HTTP requests with Flash 7/8 (+IE 6.0)",
http://www.securityfocus.com/archive/1/443391).
>> Sure you can split the response. But what exactly are you going to do
>> with the second one?
>>
>
> You can do XSS. See the paper - p.4 and pages 19-21.
>
>
And browser cache poisoning too.
More information about the Webappsec
mailing list