[Full-disclosure] MouseOverJacking attacks
mustlive at websecurity.com.ua
Sun Jan 3 21:50:29 GMT 2010
First of all, Happy New Year to you and to all participants of the list.
And about your letter.
> If you can inject arbitrary HTML into a web page,
When you are talking about arbitrary HTML, then it means possibility to
inject angle brackets and in my article I'm talking about hardest cases,
where using of angle brackets is not possible.
> there are plenty of ways (many of them easier or more flexible than this)
Yes, in other cases there can be used other XSS attack vectors. But I'm
talking about hardest cases, where only using of events of html objects are
possible. As I clearly wrote about it in my article. Here is a quote from
It's possible to intercept onMouseOver events in Cross-Site Scripting
vulnerabilities, when other vectors of XSS attacks are impossible at the
site. For example, in case of filtration at the server or using of WAF.
So in such rare cases, when you can only use events of html objects for
attack, you can use MouseOverJacking technique instead of common XSS attack,
to conduct this XSS attack automatically.
Also in my article I wrote that MouseOverJacking can be used for other
attacks (DoS, CSRF and others).
> None of this is considered particularly novel at this point.
All of attack vectors mentioned by you are known to me for a long time. It's
known XSS attack vectors. As I said, MouseOverJacking can be used in hard
cases (when other automated XSS attacks are not possible), to make
automation of such attack.
Besides, as I see from conversation with different people about
MouseOverJacking (including you), people didn't see the possibility of using
this attack technique not only in rare cases, but in more widespread cases
of XSS attacks. As I hinted about it in my article ;-). So at the end of
December I decided to make a new article with description of wider use of
MouseOverJacking for XSS attacks. And I'll write it soon.
> - Embedded objects (say, Flash, using ExternalInterface)
Or Flash with getURL.
About XSS attack via Flash I have another article - XSS vulnerabilities in 8
millions flash files (http://websecurity.com.ua/3789/). Which you can read.
Best wishes & regards,
Administrator of Websecurity web site
----- Original Message -----
From: "Andrew Farmer" <andfarm at gmail.com>
To: "MustLive" <mustlive at websecurity.com.ua>
Cc: <full-disclosure at lists.grok.org.uk>
Sent: Thursday, December 31, 2009 7:15 AM
Subject: Re: [Full-disclosure] MouseOverJacking attacks
On 29 Dec 2009, at 13:48, MustLive wrote:
> Recently, 26th of December 2009, I wrote the article MouseOverJacking
> attacks (http://websecurity.com.ua/3807/), and today I
> wrote English version of it (http://websecurity.com.ua/3814/).
Hardly news. If you can inject arbitrary HTML into a web page, there are
plenty of ways (many of them easier or more flexible than this) you can get
- <script> tags, obviously
- Binding other events that'll trigger without an event, like onLoad
- CSS (either inline, in a <style>, or loaded from another site with <link
rel="stylesheet">) containing any of:
* expression() (MSIE only?)
- Embedded objects (say, Flash, using ExternalInterface)
None of this is considered particularly novel at this point.=
Full-Disclosure is hosted and sponsored by Secunia.