Vulnerability found in security tool

Hehe this is quite funny, Chris Shiflett released a tool today to perform CSRF tests and I found a huge hole in it that allows javascript execution on his site. Sorry Chris :)

Simple Exploit

11 Responses to “Vulnerability found in security tool”

  1. fett writes:

    nice 😀

  2. Gareth Heyes writes:

    The tool has been disabled now. So the exploit will no longer work.

  3. Chris Shiflett writes:

    The tool has never been disabled; only the http and https schemes can be used for the target URL.

  4. Gareth Heyes writes:

    Maybe so but it did allow anything, including Javascript:

    Glad you fixed it :)

  5. Chris Shiflett writes:

    I’d prefer to allow everything, but I don’t want to expose my readers to any risk, however slight.

    I could always isolate it to its own domain or something, and maybe that would be a good thing to do at some point. It would be nice to explore the opportunities that other schemes present.

  6. Gareth Heyes writes:

    Chris the risk wasn’t slight, your tool contained a XSS hole that could be exploited.

    Imagine a attacker who uses your tool then creates a tinyurl of it and then posts an interesting comment with a link to the tinyurl. The attacker could gain the cookies of the user or yourself.

  7. Chris Shiflett writes:

    Gareth, the risk that XSS presents is limited by what’s available within a particular domain. (Look into the same-origin policy.) This is both why I mentioned the risk being slight and why I mentioned the risk being acceptable if the vulnerability were isolated to its own domain.

  8. Gareth Heyes writes:

    Huh? lol so you consider a XSS hole on your server to be a slight risk. I suggest you look into XSS.

    I could transfer the cookies from your domain to any domain if a XSS hole is found on your site.

  9. Gareth Heyes writes:

    If you want Chris I shall demo stealing your cookies, reinstate the vulnerability and I will provide you with a link which transfers the cookies from your domain to another domain.

  10. Chris Shiflett writes:

    You’re not doing yourself any favors by acting haughty and immature. Please try to be a bit more professional; I’m trying to give you the benefit of the doubt.

    XSS attacks exploit a client-side context and are therefore bound by the same-origin policy:

    http://en.wikipedia.org/wiki/Same_origin_policy

    For example, if a web site is mostly static, and the only non-static part is a broken 404 handler that has an XSS vulnerability, exploiting it is almost useless. If a web site doesn’t use cookies, or if the cookies it uses aren’t sensitive or trusted, stealing them is not the all-powerful exploit you seem to think it is. Consider a blog where a cookie is used to remember someone’s name, and the next time that person comments, their name is pre-filled. Stealing such a cookie gains you very little. You can already fill out the form yourself and provide any name you want.

    The vast majority of people who visit my site are readers. A very small minority join the discussions. An even smaller minority maintain modest profiles. It is the latter group that motivated me to restrict the schemes that the CSRF Redirector allows. Isolating it to its own domain would give me the opportunity to loosen this restriction without putting any of my readers at risk, which is why I mentioned this as an option.

    I did not elaborate on these points previously out of respect. (In fact, I only mentioned the same-origin policy after it seemed necessary.) You blog about web application security, so explaining the mundane details of XSS seemed disrespectful. The fact that your response lacks this same respect is disappointing.

  11. Gareth Heyes writes:

    Chris I know how same origin policy works and it is totally irrelevant to my point. You had a XSS hole which allows anyone to execute Javascript on your site on their behalf. Perhaps you should be more professional and test your tools before trying to downplay the very vulnerabilities that you blog about.

    I’m not going to continue this discussion because I feel you are just trying to excuse yourself from the embarrassing mistake you made.