full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] MouseOverJacking attac

Re: [Full-disclosure] MouseOverJacking attacks

From: MustLive <mustlive_at_nospam>
Date: Sun Jan 03 2010 - 21:50:29 GMT
To: "Andrew Farmer" <andfarm@gmail.com>


Hello Andrew!

First of all, Happy New Year to you and to all participants of the list.

And about your letter.

> If you can inject arbitrary HTML into a web page,

When you are talking about arbitrary HTML, then it means possibility to inject angle brackets and in my article I'm talking about hardest cases, where using of angle brackets is not possible.

> there are plenty of ways (many of them easier or more flexible than this)
> you can get it to run Javascript

Yes, in other cases there can be used other XSS attack vectors. But I'm talking about hardest cases, where only using of events of html objects are possible. As I clearly wrote about it in my article. Here is a quote from the article:

It's possible to intercept onMouseOver events in Cross-Site Scripting vulnerabilities, when other vectors of XSS attacks are impossible at the site. For example, in case of filtration at the server or using of WAF.

So in such rare cases, when you can only use events of html objects for attack, you can use MouseOverJacking technique instead of common XSS attack, to conduct this XSS attack automatically.

Also in my article I wrote that MouseOverJacking can be used for other attacks (DoS, CSRF and others).

> None of this is considered particularly novel at this point.

All of attack vectors mentioned by you are known to me for a long time. It's known XSS attack vectors. As I said, MouseOverJacking can be used in hard cases (when other automated XSS attacks are not possible), to make automation of such attack.

Besides, as I see from conversation with different people about MouseOverJacking (including you), people didn't see the possibility of using this attack technique not only in rare cases, but in more widespread cases of XSS attacks. As I hinted about it in my article ;-). So at the end of December I decided to make a new article with description of wider use of MouseOverJacking for XSS attacks. And I'll write it soon.

P.S.

> - Embedded objects (say, Flash, using ExternalInterface)

Or Flash with getURL.

About XSS attack via Flash I have another article - XSS vulnerabilities in 8 millions flash files (http://websecurity.com.ua/3789/). Which you can read.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

  • Original Message ----- From: "Andrew Farmer" <andfarm@gmail.com> To: "MustLive" <mustlive@websecurity.com.ua> Cc: <full-disclosure@lists.grok.org.uk> Sent: Thursday, December 31, 2009 7:15 AM Subject: Re: [Full-disclosure] MouseOverJacking attacks

On 29 Dec 2009, at 13:48, MustLive wrote:
> Recently, 26th of December 2009, I wrote the article MouseOverJacking
> attacks (http://websecurity.com.ua/3807/), and today I
> wrote English version of it (http://websecurity.com.ua/3814/).

Hardly news. If you can inject arbitrary HTML into a web page, there are plenty of ways (many of them easier or more flexible than this) you can get it to run Javascript:

  • <script> tags, obviously
  • Binding other events that'll trigger without an event, like onLoad
  • CSS (either inline, in a <style>, or loaded from another site with <link rel="stylesheet">) containing any of:
    • Background images loaded with the javascript: protocol
    • expression() (MSIE only?)
    • -moz-binding
  • Embedded objects (say, Flash, using ExternalInterface)

None of this is considered particularly novel at this point.=



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/