Jan 26, 2010

Google Chrome Drag and Drop fun

You must be browsing this page with Google Chrome, if so, open any website (www.google.com will work fine) in another tab and then drag the Windows 3.1 image (below) and drop it over the other website tab, you should get Windows 3.1 running there (Iframe). You can also inject Microsoft web site doing the same with the other image.

With Google Chrome any code can be injected from a website to another website by drag and drop. This feature is not available in Firefox, Internet Explorer and Safari.

I wonder if this can be abused in some way?

Blogger allows to run arbitrary Javascript

I guess this is a known issue since it's so simple to do it, anyways I think people should be aware of this.
Editing a blog post I realized that Blogger allows to run arbitrary Javascript in the blogs, this is good and bad. It's good because you can post demo code and run it, track users, modify the web pages at will, etc. But it's bad because it can be used as a malware distributing system, to steal information from blog visitors, to exploit browser vulnerabilities, etc.

Naif demo: Click here

BTW: It's not possible to steal Blogger cookies if you are logged since Blogger cookies are used only on Blogger.com and not on *.blogspot.com.

Jan 9, 2010

Little bug in Safari and Google Chrome

I guess a bug in Safari it's not a surprise at all but Google Chrome seems to be a more secure product. Anyways this little bug is not big deal but maybe combined with other bug it could be more dangerous.

<link rel="stylesheet" type="text/css" href="http://www.yahoo.com">
<script language="javascript">
setTimeout("alert(document.styleSheets[0].href)", 10000);
//setTimeout is used just to wait for page loading

The code above should display the same href value as in the LINK tag but it displays the final URL if there is a redirection, here in my country when you browse to http://www.yahoo.com/ you get redirected to http://ar.yahoo.com/?p=us so the above code displays this last URL.

Why this is an issue?
-There are some websites that put user session ids on the URL querystrings the same for tokens used for CSRF protection, if an attacker can get a user browsing his website then he can use the above code to reference a URL of a website the user is logged on that will be redirected to another URL that could have a session id or token in the querystring and then use this information for more dangerous attacks. Some websites could also have in the querystring some other useful information that could be used for further attacks. Websites putting session ids, tokens, etc. in querystings are already not secure but this issue helps in exploiting them.

-An attacker can also use this issue to determine if a user is logged in or not by comparing if the original URL is the same as the final one when trying to access a feature thar requires to be logged in.

-Maybe there are other possible ways of abusing this issue that I'm not aware right now.

Microsoft Internet Explorer and Mozilla Firefox are not vulnerable to this.