20 | Test security
becoming java\nscript as Internet and the site carries out the deletion
Explorer still processes words request believing it was submitted by
separated by line breaks. Any uploaded the user (as the authentication cookies
files should be treated with suspicion, were submitted). The SAMY worm
due to various published exploits due spread across Myspace using an XSS
to rendering errors when processing attack by bypassing mechanisms to
malicious submitted files. This might prevent CSRF attacks to perform a
directly affect the website under test CSRF, and using string concatenation
if it previews the file content, or more and character conversion to bypass
commonly only affects the end user XSS filters.
machines. For instance with GIF files, Many servers accept RSS (really
the comment area might be used to simple syndication) news feeds
alter the flash cross domain policy, which are forwarded to the servers’
or if a GIF file is combined with a subscribers; the subscribers’ web
JAR (Java Archive) which is termed browser then renders the information
as GIFAR to produce content which contained within the RSS file. RSS
is then executed by the Java virtual files use the XML file standard to
machine. Other common GIF attacks transmit information, a problem occurs
Penetration testers have
attempt to create buffer overflows to when an attacker is able to submit a
to ensure that aggregator
run code on user machines, like the malicious RSS file. In such an instance,
Mozilla Foundation GIF overflow or the the attacker might be able to perform
sites have processes
Sun Java JRE GIF processing overflow a XXE (XML external entity) attack
and controls in place to
vulnerabilities. to read system files and perform
ensure that un-trusted
Submitted links can be used to other attacks on an RSS aggregator
RSS feeds cannot be
attack flaws found in other sites, machine (news site), or exploit an XML
exploit flaws in software running on parser security weakness within the
added, and that any code
end user machines (eg Flash Player subscriber’s web browsers eventually
providing RSS feeds has
XSS) or directly attack other users to run system commands on subscriber
sufficient filtering and of the website by a technique called machines. A recent example was the
malicious code detection
cross site request forgery (CSRF). CVE-2009-0137 Safari RSS attack
CSRF attacks typically occurs where when a maliciously-crafted news feed
so that un-patched
the website uses long-lived persistent was potentially able to execute code
subscriber machines do
cookies for authenticating its users, on the client.
not execute any malicious for instance if a website user visits a Penetration testers have to ensure
embedded code. This is not
malicious submitted page which then that aggregator sites have processes
straightforward, as some
submits a page request like delete and controls in place to ensure that
user (normally via an image tag). The un-trusted RSS feeds cannot be added,
RSS feeds embed tags to
user’s browser recognising that the and that any code providing RSS feeds
make their content more page has associated persistent cookies has sufficient filtering and malicious
interesting.
submits the authentication cookie code detection so that un-patched
along with the submitted request, subscriber machines do not execute
T.E.S.T | June 09 June 09 | T.E.S.T
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52