|
|
|
Stored DOM Based Cross Site Scripting |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Présentation : Since the very first release of DOMinatorPro, there is an 'S' little button in the right down corner Q What does it mean A First of all, I'd say, it actually means that there's another feature that makes DOMinatorPro a bleeding edge tool for finding DOM Based XSS . The Stored Strings tainting is a very interesting feature that DOMinatorPro implements for tracking stored DOM Based Cross Site Scripting issues. Think about the following scenery. Pseudo code setName.do String name getFromParameter name saveOnDB name getName.do String name getNameFromDB escape the source name from DB so no stored XSS is there String jsEscape encodeForJavaScript name print n No problem here since it's escaped. print var aname ' aName jsEscape ' print eval aname n print So we'll get in the getName.do page .. var aname ' aName PATTERN ' eval aname .. At this point you surely understand the issue in the flow Step 1. Attacker sends name PATTERN Step 2. Victim visits a page with the flawed Js. The attacker can't directly get out from the string since it's supposed to be correctly escaped, so that a payload like name testPATTERN ' will become var aName testPATTERN x22 x27 x3c .. Which is not directly exploitable, but if that same variable is used as argument for a Function or eval, or innerHTML or some of the sinks described on DOMXSS Wiki contribute please , then it's an exploitable issue. No existing tool is able to trace patterns like that during JavaScript execution but DOMinatorPro. What the tester have to do is to turn on tainting on Stored Strings and to the pattern which has to be traced using the settings Finally, the user will just have to create the scenario by browsing the application with DOMinatorPro. And she'll get some output like the following Where StoredTainted is the constant string transformed as tainted on the fly. There are several interesting possibilities by using the tainted stored strings, like applying the same checks on responses from XMLHttpRequests. But that's food for another blog post. Feedbacks are, as usual really welcome
Les derniers articles du site "Minded Security Blog" :
- RCE in Oracle NetBeans Opensource Plugins PrimeFaces 5.x Expression Language Injection
- RAT WARS 2.0 Advanced Techniques for Detecting RAT Screen Control
- Request parameter method may lead to CakePHP CSRF Token Bypass
- Reliable OS Shell with - EL Expression Language - Injection
- Software Security in practice
- Advanced JS Deobfuscation Via AST and Partial Evaluation Google Talk WrapUp
- Autoloaded File Inclusion in Magento SOAP API SUPEE-6482
- PDF-based polyglots through SVG images CVE-2015-5092
- Multiple security issues discovered in Concrete5
- Antitamper Mobile - Minded Security's Magik Quadrant for Mobile Code Protection
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
