ToorCon, San Diego

September 24, 2011 by superevr in Security

I've been working on some interesting research to help achieve one of my recent goals: present at a security conference. On Sunday, October 9th, I will be giving a 20-minute talk at ToorCon San Diego titled Post-Exploitation with JavaScript - The New Cross-Site F-U! This presentation is about the incremental risk of Cross-Site Request Forgery (CSRF) attacks that involve submission of arbitrary files. This kind of functionality has only come to light recently with the introduction of HTML5, and it generally makes for a very easy attack that can have very dire consequences.

XSS in Skype for iOS

September 19, 2011 by superevr in Security

Skype for iOS contains an XSS vulnerability that allows attackers steal information.

A Cross-Site Scripting vulnerability exists in the "Chat Message" window in Skype 3.0.1 and earlier versions for iPhone and iPod Touch devices.

Skype uses a locally stored HTML file to display chat messages from other Skype users, but it fails to properly encode the incoming users "Full Name", allowing an attacker to craft malicious JavaScript code that runs when the victim views the message.

javascript alert(mphone)

To demonstrate the vulnerability, I captured a photo of a simple javascript alert() running within Skype.

Executing arbitrary Javascript code is one thing, but I found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype. Usually you will see the scheme set to something like, "about:blank" or "skype-randomtoken", but in this case it is actually set to "file://". This gives an attacker access to the users file system, and an attacker can access any file that the application itself would be able to access.

File system access is partially mitigated by the iOS Application sandbox that Apple has implemented, preventing an attacker from accessing certain sensitive files. However, every iOS application has access to the users AddressBook, and Skype is no exception. I created a proof of concept injection and attack that shows that a users AddressBook can indeed be stolen from an iPhone or iPod touch with this vulnerability.

To further demonstrate the issue, I have recorded a video of this scenario. Please use the comments section below for your questions.

http://www.youtube.com/watch?v=Ou_Iir2SklI

Two Location Headers

August 29, 2011 by superevr in Security

Update! 2/24/2012 I found out that the latest versions of Firefox and Chrome now give error messages instead of preferring the first or second header. This is probably the safest way to handle the situation, since this trick can really only be used for evil }:)

Where does your browser send you when the HTTP Response contains two location headers?

[code autolinks="false"]HTTP/1.1 302 Found Date: Fri, 04 Mar 2011 20:58:17 GMT Server: Apache Location: http://www.yahoo.com Location: http://www.google.com [/code]

Yahoo or Google

BROWSER	REDIRECTION
FIREFOX > 7	ERROR
CHROME ≥ 16	ERROR
CHROME < 16	YAHOO
SAFARI 5.1	YAHOO
INTERNET EXPLORER 6/7/8	YAHOO
OPERA 11.01	YAHOO
OPERA MINI ON IPHONE	YAHOO
FIREFOX 3.6.15 TO 6.0	GOOGLE
SAFARI 5.0.3	GOOGLE
MOBILE SAFARI IOS 4.3.5	GOOGLE
MOBILE FIREFOX FOR ANDROID	GOOGLE
HP TOUCHPAD (WEBOS)	GOOGLE