publistsenablesecurity.com
Date: Wed Jun 18 2008 - 08:13:39 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi -

Back in 2002 I had published details of a vulnerability affecting most web browsers. It detailed a security flaw that allows attackers to abuse non-HTTP protocols to launch Cross Site Scripting attacks even when a target web application was not vulnerable to XSS.

Six years later I'm releasing an update to this research in this paper. This security vulnerability still affects popular web browsers nowadays and the following browsers were tested as vulnerable:

   * Internet Explorer 6
   * Internet Explorer 7
   * Internet Explorer 8 (beta 1)
   * Opera 9.27
   * Opera 9.50
   * Safari 1.32
   * Safari 3.1.1

Others have described how to abuse behavior for purposes other than Cross Site Scripting. NGSSoftware previously published a paper called "Inter-Protocol Exploitation" which references the original EyeonSecurity paper.

Paper at:
http://resources.enablesecurity.com/resources/the%20extended%20html%20form%20attack%20revisited.pdf

or http://tinyurl.com/5d88ll

--
Sandro Gauci
EnableSecurity
Web: http://enablesecurity.com/

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]