Comments on: The Extended HTML Form Attack Revisited

By: Sandro

Sandro — Sun, 13 Jul 2008 22:06:51 +0000

Coaroo: Yes the behavior of various browsers changed from the time that the demo was made and the old demo does not necessarily work. However the vulnerability is still present.

By: Coaroo

Coaroo — Sun, 13 Jul 2008 18:02:03 +0000

On your 2002 page, I’ve tested the “demo link” in I.E 6 and Opera 9.50. For the two browsers, I’ve got “error, page not found”, in Opera, it’s clearly stated : “this port is forbidden for security reasons”.

By: James Attard

James Attard — Tue, 01 Jul 2008 12:35:32 +0000

@Sandro

Yes you’re right. There are many possibilities, and I didn’t foresee that it can also exploit internal services, yet achieving the same results.

By: Sandro

Sandro — Tue, 01 Jul 2008 11:41:46 +0000

James – I wouldn’t say it only affects the home users. Having a corporate firewall will not block connections to the internal servers (ones behind a firewall). This functionality can be very flexible from an attacker’s point of view ;-)

By: James Attard

James Attard — Tue, 01 Jul 2008 09:02:07 +0000

Excellent paper Sandro. This form of attack is especially targeted to home users where firewalls do not exist, or otherwise do not block outgoing ports. About time to think out of the box and not just consider incoming traffic when it comes to securing a home network :)

By: Which ports do web browsers block? « EnableSecurity

Which ports do web browsers block? « EnableSecurity — Mon, 23 Jun 2008 11:38:31 +0000

[...] Which ports do web browsers block? 23Jun08 This is a continuation of the previous post on the subject of HTML forms abuse. [...]

By: Formularze HTML nadal niebezpieczne | Pozycjonowanie artykuły - art.mxh.pl

Formularze HTML nadal niebezpieczne | Pozycjonowanie artykuły - art.mxh.pl — Mon, 23 Jun 2008 09:11:29 +0000

[...] Gauci z firmy EnableSecurity opublikował w 2002 roku raport na temat zagrożeń wynikających z przesyłania danych za pośrednictwem formularzy HTML. Teraz wydano zaktualizowaną [...]

By: Coaroo

Coaroo — Sat, 21 Jun 2008 15:24:09 +0000

That’s interesting but, as a non-expert, I have trouble to visualize the attack. Would it be possible to have a test page, you know, like there is page to test if your browser is vulnerable to spoofing.
Also, if it’s not possible to solve the problem with the browser, can it be done with the OS ? By closing some ports, for instance ?

By: Giannella

Giannella — Thu, 19 Jun 2008 16:34:39 +0000

Re [1]: Yeah I saw that this morning — and no fix yet 8-(

By: Sandro

Sandro — Thu, 19 Jun 2008 15:32:04 +0000

I think they’re doing a good job on the whole, considering all the attacks coming their way. Firefox has its own set of problems [1] believe me ;-)

With the flexibility that we have with HTTP, its easy to overlook something like the attack that I (and others have) describe. I’m sure that there are similar scenarios that have not been previously published and that will affect all web browsers because of the nature of the HTTP protocol.

[1] http://blog.mozilla.com/security/2008/06/18/new-security-issue-under-investigation/