[tahoe-lafs-trac-stream] [tahoe-lafs] #1859: Proof-of-concept attack: Upload and execute attacker controlled js from any domain.
tahoe-lafs
trac at tahoe-lafs.org
Thu Nov 15 04:23:45 UTC 2012
#1859: Proof-of-concept attack: Upload and execute attacker controlled js from any
domain.
-------------------------+-------------------------------------------------
Reporter: | Owner: davidsarah
nejucomo | Status: new
Type: defect | Milestone: undecided
Priority: major | Version: 1.9.2
Component: code- | Keywords: security javascript same-origin
frontend-web | capleak
Resolution: |
Launchpad Bug: |
-------------------------+-------------------------------------------------
Comment (by nejucomo):
**Browser Notes**
I tested this with google chrome 18.0.1025.142 (not chromium) and ice
weasel 3.5.16, both on debian squeeze (6.0.4). The attack worked in the
latter but not the former.
In the former case, chrome said something like ~"refusing to evaluate
javascript which was seen in upload data" in the javascript console. That
feature surprises me and I would expect it is almost impossible to detect
and prevent XSS completely; although maybe they can almost stamp out
"reflected XSS" under which this demonstration attack falls.
Reflected XSS is when an attack script is served in the response of the
same HTTP transaction that included the attack vector in the request. A
"stored XSS" is one in which the attack vector lives in some state and is
returned in a different response. Because this attack stores a malicious
script in a grid, it's apparent that stored XSS attacks are also likely,
and these may thwart chrome. Other means to thwart might be various forms
of obfuscation. (David-Sarah asked about gzipping the payload, which I
have not tested.)
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1859#comment:4>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list