Cross-Site Scripting attacks via redirectors
21:44 04.08.2009This is English version of my Cross-Site Scripting attacks via redirectors article.
In this article I’ll tell you about using of redirectors in different browsers for conducting of Cross-Site Scripting attacks. Which can be conduct for the purpose of stealing cookies, or access to web site’s pages for making of various advanced attacks (in case when there is connection between code which is executed via redirector and the site), and also for the purpose of conducting of fishing attacks and execution of JavaScript code (in case when there is no such connection).
Besides that redirectors allow to redirect to malicious and fishing sites (which is Redirector vulnerability), there are also other variants of attacks with their use. Particularly in my articles Redirectors’ hell and Hellfire for redirectors I wrote about using of redirectors for DoS attacks. Already in January 2008 I planned to write an article about various attacks with using of redirectors (was planning to make anthology of attacks via redirectors), which I’d certainly do, but now I’d tell about one of this attacks - about XSS attacks via redirectors.
There are two types of redirectors (server-side): location-header, which works via Location header, and refresh-header, which works via Refresh header.
In different browsers (via vulnerabilities in them) XSS attacks are possible in different redirectors. Attacks are doing via redirection to javascript: URI and data: URI.
Attack #1
As I wrote about Cross-Site Scripting vulnerabilities in Mozilla, Internet Explorer, Opera and Chrome, in browsers Mozilla 1.7.x (and previous versions), Mozilla Firefox 3.0.8 (and previous versions), Internet Explorer 6 (and previous versions, but not IE7 and IE8), Opera 9.52 (and previous and next versions) and Google Chrome 1.0.154.48 (and previous and next versions) is possible XSS attack via refresh-header redirectors. Attack is doing by redirecting to javascript: URI.
Method of attack:
With request to script at web site:
http://site/script.php?param=javascript:alert(document.cookie)
Which returns in answer the Refresh header:
Refresh: 0; URL=javascript:alert(document.cookie)
The code will execute in context of this site.
This vulnerability in browsers can be used for conducting of reflected XSS attacks.
Attack #2
As I wrote about Cross-Site Scripting vulnerabilities in Mozilla, Firefox and Chrome, in browsers Mozilla 1.7.x (and previous versions), Mozilla Firefox 3.0.12 (and previous and next versions) and Google Chrome 1.0.154.48 (and previous and next versions) is possible XSS attack via refresh-header redirectors. Attack is doing by redirecting to data: URI (with or without using of base64).
Method of attack:
With request to script at web site:
http://site/script.php?param=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2b
Which returns in answer the refresh header and the code will execute in the browser:
refresh: 0; URL=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2b
Because in browsers Firefox 3.0.12 and Google Chrome the code is executing not in context of this site, hence there is no access to cookies, but it can be done in old Mozilla. This vulnerability in browsers (modern) can be used for conducting of fishing attacks and executing of JavaScript code.
Attack #3
As I wrote about Cross-Site Scripting vulnerabilities in Firefox and Opera, in browsers Mozilla Firefox 3.0.12 (and previous and next versions) and Opera 9.52 (and previous and next versions) is possible XSS attack via location-header redirectors. Attack is doing by redirecting to data: URI (with or without using of base64).
Method of attack:
With request to script at web site:
http://site/script.php?param=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2b
Which returns in answer the Location header and the code will execute in the browser:
Location: data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
Because in browsers Firefox and Opera the code is executing not in context of this site, hence there is no access to cookies. This vulnerability in browsers can be used for conducting of fishing attacks and executing of JavaScript code.
Both types of redirectors, location-header and refresh-header, very widespread in Internet, but most widespread are location-header redirectors. So existence of vulnerabilities which work via location-header redirectors pose the most threat. Particularly via this vulnerability in browsers are possible attacks via redirection services, as I wrote concerning vulnerability at tinyurl.com. It allows to spread malware via redirection services, when there will be set the code of exploit instead of address for redirection.
Attack #4
All modern browsers don’t allow execution of JavaScript code by redirecting to javascript: URI in location-header redirectors. But as showed my researches - it’s not always so. As I wrote about Cross-Site Scripting vulnerabilities in Mozilla and Firefox, in browsers Mozilla 1.7.x (and previous versions) and Mozilla Firefox 3.0.12 (and previous and next versions) is possible XSS attack via location-header redirectors, which use answer “302 Object moved”. Attack is doing by redirecting to javascript: URI (and also it’s possible to conduct attack to data: URI).
Method of attack:
With request to script at web site:
http://site/script.php?param=javascript:alert(document.cookie)
Which returns in answer the Location header:
HTTP/1.x 302 Object moved
Location: javascript:alert%28document.cookie%29
The browser will show “Object Moved” page. At click on the link “here” the code will execute in context of this site.
This vulnerability in browsers can be used for conducting of Strictly social XSS attacks.
Attack #5
After initial publication of the article, Aung Khant informed me at 24.08.2009 about vulnerability in Maxthon 3 Alpha (3.0.0.145) with Ultramode. Which allows execution of JavaScript code by redirecting to javascript: URI in location-header redirectors. It’s variation of attack #4 (which I checked, but not found in other browsers, but he found it in Maxthon). If in that case XSS attack is possible via location-header redirectors, which use answer “302 Object moved”, then in this case attack is possible with any 301 and 302 answers of redirectors. Attack is doing by redirecting to javascript: URI.
Method of attack:
With request to script at web site:
http://site/script.php?param=javascript:alert(document.cookie)
Which returns in answer the Location header:
Location: javascript:alert%28document.cookie%29
The browser will show “Unable to connect to the site” page. At click on the link “Refresh the page” the code will execute. Besides, there is the same behaviour in Maxthon 3 Alpha in attacks #3,4,5 (code executes not in context of the site).
This vulnerability in Maxthon can be used for conducting of Strictly social XSS attacks.
Note, that in case of execution of JavaScript code by redirecting to data: URI, when code is executing not in context of this site, the danger exists. Because this vulnerabilities can be used for conducting of fishing attacks and executing of JavaScript code (for malware spreading).
Main advantages of this attack method for criminals, in comparison with ordinary redirection to their site, is first that they don’t need even to have their site (so it’ll be harder to trace them, and also it’ll be impossible to close their site). And second that none anti-fishing and anti-malware filter (in browsers and email) will can’t filter out them, because there will no such address in their base (because not http: address, but data: is using), i.e. bypass of all filters is possible. So it’s needed to fix all mentioned vulnerabilities in browsers.
Attack #6
As I wrote about Cross-Site Scripting vulnerability in Mozilla, Firefox and other browsers, in browsers Mozilla 1.7.x (and previous versions) and Mozilla Firefox 3.0.19 (and previous and next versions) and potentially in other browsers is possible XSS attack via location-header redirectors, which use answer “302 Found”. Attack is doing by redirecting to javascript: URI (and also it’s possible to conduct attack to data: URI). This attack is similar to attack #4.
Method of attack:
With request to script at web site:
http://site/script.php?param=javascript:alert(document.cookie)
Which returns in answer the Location header:
HTTP/1.x 302 Found
Location: javascript:alert(document.cookie)
The browser will show “Found” page. At click on the link “here” the code will execute in context of this site.
This vulnerability in browsers can be used for conducting of Strictly social XSS attacks.
Attacks #7,8
In article Cross-Site Scripting via redirectors 301 and 303 in different browsers I’ve described two more attacks via redirectors with status 301 and 303. These are attacks via data: and javascript: URI.
[Update: 05.08.2009]
As I checked, Mozilla Firefox 3.0.13 is also vulnerable to attacks #2,3,4.
In case of all browsers which are vulnerable to attacks #1,4, JS code executes in context of the site.
[Update: 22.08.2009]
As I found with help of Aung Khant from YEHG Team, the next browsers are also vulnerable:
Google Chrome 2.0.172.28, 2.0.172.37 and 3.0.193.2 Beta - vulnerable to attacks #1,2.
QtWeb 3.0 Build 001 and 3.0 Build 003 - vulnerable to attacks #1,2,3.
Safari 4.0.3 - vulnerable to attacks #1,2.
Opera 10.00 Beta 3 Build 1699 - vulnerable to attacks #1,3.
SeaMonkey 1.1.17 - vulnerable to attacks #1,2,4 and in #1,2,4 JS code executes in context of the site.
[Update: 25.08.2009]
New information from Aung Khant from YEHG Team:
Firefox 3.6 a1 pre - vulnerable to attacks #1,2,3,4 and in #1,2,4 JS code executes in context of the site.
Firefox 3.7 a1 pre - vulnerable to attacks #2,3,4.
Orca Browser 1.2 build 5 - vulnerable to attacks #2,3,4.
Maxthon 3 Alpha (3.0.0.145 and 3.0.2.2) with Ultramode (Apple’s WebKit emulation) - vulnerable to attacks #1,2. And also vulnerable to attacks #3,4,5 as Strictly social XSS.
[Update: 05.08.2010]
Added information about attack #6.
[Update: 07.08.2010]
New information:
Mozilla Firefox 3.0.19 - vulnerable to attacks #2,3,4,6 and in #4,6 JS code executes in context of the site.
Firefox 3.5.11 - vulnerable to attacks #2,3,4,6 and in #4,6 JS code executes in context of the site.
Firefox 3.6.8 - vulnerable to attacks #2,3,4,6 and in #4,6 JS code executes in context of the site.
Firefox 4.0b2 - vulnerable to attacks #2,3,4,6 and in #4,6 JS code executes in context of the site.
Opera 10.53 - vulnerable to attacks #1,4,5,6.
[Update: 16.09.2012]
New information:
Firefox 3.5.19, Firefox 3.6.28 - vulnerable to attacks #2,3,4,6 and in #4,6 JS code executes in context of the site.
Firefox 10.0.7, Firefox 15.0.1 - vulnerable to attacks #2,3. In versions Firefox 10.0.7 and 15.0.1 the attacks #4,6 are no more possible - these vulnerabilities were hiddenly fixed by Mozilla in Firefox 9.0.
Opera 10.62 - vulnerable to attacks #1,4,5,6.
[Update: 25.09.2012]
Added information about attacks #7 and #8.
Субота, 21:55 29.08.2009
Besides publishing of XSS vulnerabilities in Firefox 3.0.x and 3.5.x at Mozilla’s Bugzilla, today I also published XSS vulnerabilities in Firefox 3.6 a1 pre and Firefox 3.7 a1 pre - Bug 513487.
Неділя, 06:43 30.08.2009
you know, you are not really that good at security, most of these things are not issues at all.
Понеділок, 01:13 31.08.2009
Joseph
It’s your personal point of view .
First, I let people to decided how I am good at security. And your point of view can differ from such of other people.
Second, if you don’t understand some ot these attacks via redirectors, it doesn’t make them less dangerous. I see that all these 5 attack vectors are issues which must be fixed, so I informed browsers vendors and Internet community about them. And everyone must decide to himself if any of these vulnerabilities in different browsers are dangerous to him.