|Main Archive Page > Month Archives > full-disclosure-uk archives|
First of all, Happy New Year to you and to all participants of the list.
And about your letter.
> If you can inject arbitrary HTML into a web page,
When you are talking about arbitrary HTML, then it means possibility to inject angle brackets and in my article I'm talking about hardest cases, where using of angle brackets is not possible.
> there are plenty of ways (many of them easier or more flexible than this)
Yes, in other cases there can be used other XSS attack vectors. But I'm talking about hardest cases, where only using of events of html objects are possible. As I clearly wrote about it in my article. Here is a quote from the article:
It's possible to intercept onMouseOver events in Cross-Site Scripting vulnerabilities, when other vectors of XSS attacks are impossible at the site. For example, in case of filtration at the server or using of WAF.
So in such rare cases, when you can only use events of html objects for attack, you can use MouseOverJacking technique instead of common XSS attack, to conduct this XSS attack automatically.
Also in my article I wrote that MouseOverJacking can be used for other attacks (DoS, CSRF and others).
> None of this is considered particularly novel at this point.
All of attack vectors mentioned by you are known to me for a long time. It's known XSS attack vectors. As I said, MouseOverJacking can be used in hard cases (when other automated XSS attacks are not possible), to make automation of such attack.
Besides, as I see from conversation with different people about MouseOverJacking (including you), people didn't see the possibility of using this attack technique not only in rare cases, but in more widespread cases of XSS attacks. As I hinted about it in my article ;-). So at the end of December I decided to make a new article with description of wider use of MouseOverJacking for XSS attacks. And I'll write it soon.
> - Embedded objects (say, Flash, using ExternalInterface)
Or Flash with getURL.
About XSS attack via Flash I have another article - XSS vulnerabilities in 8 millions flash files (http://websecurity.com.ua/3789/). Which you can read.
Best wishes & regards,
Administrator of Websecurity web site
On 29 Dec 2009, at 13:48, MustLive wrote:
> Recently, 26th of December 2009, I wrote the article MouseOverJacking
> attacks (http://websecurity.com.ua/3807/), and today I
> wrote English version of it (http://websecurity.com.ua/3814/).
None of this is considered particularly novel at this point.=