PDA

View Full Version : dummy hack test


davidh
September 19th, 2009, 11:32 AM
<script src="http://_.com/_.js"></script>

If you do not see the above line of text , then there is a problem.

If the forum software had not converted the line containing the HTML tags, etc. into this:

&lt;script src=&quot;http://_.com/_.js&quot;&gt;&lt;/script&gt;

then it would have been possible to attempt to run a js script from anywhere on the web in your browser.

"dummy" means 1. it's not a real test and/or 2. the poster

sidney
September 19th, 2009, 05:23 PM
<script src="http://_.com/_.js"></script>

If you do not see the above line of text , then there is a problem.

VBulletin has been around for a while and such security holes would have been closed a long time ago.

This site uses the option to disable all HTML in messages, using bbcode tags only. That's the simplest and safest option.

However, it does turn a URL string into HTML. Notice what it did in your message. If the proper security is in place it would not turn it into a URL that will execute Javascript. Hmm, I should check that but I have to run out the door in two minutes.

davidh
September 19th, 2009, 06:36 PM
VBulletin has been around for a while and such security holes would have been closed a long time ago.

This site uses the option to disable all HTML in messages, using bbcode tags only. That's the simplest and safest option.

However, it does turn a URL string into HTML. Notice what it did in your message. If the proper security is in place it would not turn it into a URL that will execute Javascript. Hmm, I should check that but I have to run out the door in two minutes.
I tried using the "Insert link" icon on the tool bar to paste the line of text in question, namely
<script src="http://_.com/_.js"></script>
as the contents of the URL and a click on "Preview Post" showed that the forum software had inserted zero, zilch, nada, thus blocking this kind of attack via the "Insert link" function.

As you say, I would have expected that such potential vulnerabilities have been closed long ago. I did not really expect to be able to show up any vulnerability in the first place. The main point of my OP was to show how little text is required to create an attack that could work without any clicking on any link by the user at all, if some vulnerabilities on both sides (server and browser) are unpatched.

sidney
September 19th, 2009, 07:12 PM
The main point of my OP was to show how little text is required to create an attack that could work without any clicking on any link by the user at all, if some vulnerabilities on both sides (server and browser) are unpatched.

Yes, and it can be quite a challenge to allow users to enter some HTML without allowing any malicious HTML. Since HTML is disabled in posts here the job is quite a bit easier. The remaining tricky part is in the code that parses URL strings such as http://example.com to make sure that it can't be fooled by something like http://example.com"><href='javascript:alert("foo")'> (which I expect will show up with only the http://example.com part of it being a hot link -- ok, this is my test - [UPDATE:] I see that the code is even more clever -- It saw something is wrong and disables hot linking the entire attempt at a hack)

davidh
September 19th, 2009, 10:16 PM
it can be quite a challenge to allow users to enter some HTML without allowing any malicious HTML. Sounds like about the same level of difficulty as having a girls plus boys slumber party with non-segregated bedrooms and NO hanky panky :rolleyes: