Back in 2002 I had published details of a vulnerability affecting most web browsers. It detailed a security flaw that allows attackers to abuse non-HTTP protocols to launch Cross Site Scripting attacks even when a target web application was not vulnerable to XSS.
Six years later I’m releasing an update to this research in this paper. This security vulnerability still affects popular web browsers nowadays and the following browsers were tested as vulnerable:
- Internet Explorer 6
- Internet Explorer 7
- Internet Explorer 8 (beta 1)
- Opera 9.27
- Opera 9.50
- Safari 1.32
- Safari 3.1.1
Others have described how to abuse behavior for purposes other than Cross Site Scripting. NGSSoftware previously published a paper called “Inter-Protocol Exploitation” which references the original EyeonSecurity paper.
Filed under: Research | 13 Comments
Tags: firefox, internet explorer, opera, safari, security, vulnerability, web browser
thank you for this information
Great post.
It’s about time that IE, Opera & Safari start including some serious Security features.
I think they’re doing a good job on the whole, considering all the attacks coming their way. Firefox has its own set of problems [1] believe me ;-)
With the flexibility that we have with HTTP, its easy to overlook something like the attack that I (and others have) describe. I’m sure that there are similar scenarios that have not been previously published and that will affect all web browsers because of the nature of the HTTP protocol.
[1] http://blog.mozilla.com/security/2008/06/18/new-security-issue-under-investigation/
Re [1]: Yeah I saw that this morning — and no fix yet 8-(
That’s interesting but, as a non-expert, I have trouble to visualize the attack. Would it be possible to have a test page, you know, like there is page to test if your browser is vulnerable to spoofing.
Also, if it’s not possible to solve the problem with the browser, can it be done with the OS ? By closing some ports, for instance ?
Excellent paper Sandro. This form of attack is especially targeted to home users where firewalls do not exist, or otherwise do not block outgoing ports. About time to think out of the box and not just consider incoming traffic when it comes to securing a home network :)
James – I wouldn’t say it only affects the home users. Having a corporate firewall will not block connections to the internal servers (ones behind a firewall). This functionality can be very flexible from an attacker’s point of view ;-)
@Sandro
Yes you’re right. There are many possibilities, and I didn’t foresee that it can also exploit internal services, yet achieving the same results.
On your 2002 page, I’ve tested the “demo link” in I.E 6 and Opera 9.50. For the two browsers, I’ve got “error, page not found”, in Opera, it’s clearly stated : “this port is forbidden for security reasons”.
Coaroo: Yes the behavior of various browsers changed from the time that the demo was made and the old demo does not necessarily work. However the vulnerability is still present.