 |  |  |  |  |  |  |  |
Web forms are still the gateway to security hell
Sandro Gauci, founder of EnableSecurity, has revealed that six years on from his 2002 report into extended HTML form attacks the problem has simply refused to go away.
The original report included details of how attackers could abuse non-HTTP protocols in order to launch Cross Site Scripting attacks, even in a situation where the target web application was not itself vulnerable to XSS. This applied to most web browsers at the time. Now, he says, not much has changed.
"Six years later I’m releasing an update to this research in this paper. This security vulnerability still affects popular web browsers nowadays."
Gauci lists the following browsers as all being tested and vulnerable:
Gauci concedes that a decent job has been done as far as the web forms which get exchanged with HTML servers are concerned, but not when we start talking about FTP, SMTP or any other non-HTTP server.
"When an attacker can control what is returned by the server, the victim becomes vulnerable to security issues" Gauci says.
The original report included details of how attackers could abuse non-HTTP protocols in order to launch Cross Site Scripting attacks, even in a situation where the target web application was not itself vulnerable to XSS. This applied to most web browsers at the time. Now, he says, not much has changed.
"Six years later I’m releasing an update to this research in this paper. This security vulnerability still affects popular web browsers nowadays."
Gauci lists the following browsers as all being tested and vulnerable:
Internet Explorer 6Of course, it is not that the vulnerabilities have just been ignored, but rather that these browsers have not managed to make it go away completely. The problem seems to lay with how they block ports, and how attackers exploit browser blacklists by using ports which are not on them.
Internet Explorer 7
Internet Explorer 8 (beta 1)
Opera 9.27
Opera 9.50
Safari 1.32
Safari 3.1.1
Gauci concedes that a decent job has been done as far as the web forms which get exchanged with HTML servers are concerned, but not when we start talking about FTP, SMTP or any other non-HTTP server.
"When an attacker can control what is returned by the server, the victim becomes vulnerable to security issues" Gauci says.
Similar Threads
- How the hell did i do this! funny as hell (C)
- CSS forms z-index hell (HTML and CSS)
- Forms and Web standards (HTML and CSS)
- Identification of Web Forms (ASP.NET)
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Network Security Posts
- Today's Posts
- Unanswered Threads
advertising age amd apple avatar bluegene botnet browser business cellphone china chips copyright crime data database design development dos downloads economy email encryption energy enterprise europe facebook firefox free gadget games gaming google government hacker hacking hardware ibm ibm.news intel intelibm internet iphone ipod itunes law legal linux mac malware marketing medicine memory microsoft mobile mozilla music news openoffice opensource os pc phishing piracy porn privacy programming ps3 recession redhat report research russia search security sex socialnetworking software spam sun supercomputer supercomputing survey technology trends trojan twitter ubuntu uk video virus vista web windows windows7 working x86 xbox yahoo youtube
