Ben, we have reproduced the vulnerability in many occasion. First of all, at least to steal the session it is no matter if X-Frame-Option is set to deny/same-origin. Secondly, we were able to easily bypass the alert popup. It is not needed if you implement the "waiting" logic with a synchronous AJAX call or a looped wait (there is no sleep is JS). The most important part is that the "1.php" in the original POC, should implement a sleep itself. This seems to do the trick to allow setTimeout to be assigned in the iframe prior to be redirected to the target site. It has nothing to do with Cloudflare. Nevertheless, it is particularly difficult in my opinion to serve one HTML page to target multiple web sites at once in a phising/session-stealing attack. This is because, alert/synchronous AJAX/custom sleep, lock the browser resources so other iframe-based (independent) attacks cannot be executed. Using asynchronous AJAX with onreadystate does not seem to work. But, of course, alert dialog can still be easily bypassed so web users can't do anything to avoid a signle exploitation. Regards, Dimitris Strevinas Chief Security Engineer / Obrela Security Industries
Source: Gmail -> IFTTT-> Blogger
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment