controlling document.referrer
wlet
I'm just playing around with DOMinator and got some alerts on one of our pages. Obviously "document.referrer" is used to create an img for user tracking purposes. According to several Slides I found (http://wenku.baidu.com/view/1a48c78371fe910ef12df827.html and the Slides from SwissCyberStorm) this should be exploitable. Nevertheless I did not find a way to control document.referrer. Can someone share a short example of how to control document.referrer from an attackers perspective.
Thx
wlet
Stefano Di Paola
is it a document.write or a Element.innerHTML?
If yes, then "probably" it's exploitable.
As you can see in the
https://code.google.com/p/domxsswiki/wiki/TheReferrerSource
IE allows several characters like " > < ' in the query string.
so you'll probably need to set up an attacker page like:
www.attacker.ltd/page.php?blah'"><iframe/onload=alert(1)>
content:
<iframe src='http://yourwww/page.do'></iframe>
or something like that, that points to the flawed page.
Let me know if it works...
Cheers
Stefano
--
Stefano Di Paola
Chief Technology Officer, Lead Auditor ISO 27001
Minded Security - Application Security Consulting
Cell: +39 3209495590
Email: stefano.dipaola [at] mindedsecurity.com
Minded Security S.r.l.
Via Duca D'Aosta, n.20 50129 Firenze (FI)
www.mindedsecurity.com
_________________________________________________________________________________________________
Pay attention, this email is confidential. If you are not authorized,
or if you have received this message by mistake,please not read,
use or spread any piece of the information above.
wlet
thanks for the tipp. I got the idea and tested it. Unfortunatly (or
better fortunatly) it gets escaped correctly.
Big Thanks,
wlet