It could be used as a technique for defeating the login images used as "two-factor-authentication" by some online services.<br>The application of using filesize to fingerprint an image is somewhat novel. This is a decidedly 'old' vector, though.<br>
<br>-Travis<br><br><div class="gmail_quote">2010/4/21 Владимир Воронцов <span dir="ltr"><<a href="mailto:vladimir.vorontsov@onsec.ru">vladimir.vorontsov@onsec.ru</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Hello Full disclosure!<br>
<br>
Once again, unwinding theme HiJacking found a fun way to get the very<br>
least information about the target resource when the user is located at the<br>
attacker.<br>
<br>
Already crocked <img> tag opens new opportunities using the method<br>
fileSize, described here: <a href="http://msdn.microsoft.com/en-us/library/ms533752" target="_blank">http://msdn.microsoft.com/en-us/library/ms533752</a><br>
(v = VS.85). Aspx<br>
<br>
Consider a simple example - a Web application after authentication<br>
provides some sort of picture for the user, for example:<br>
<br>
<a href="http://example.com/getImage.php?image=myAvatar" target="_blank">http://example.com/getImage.php?image=myAvatar</a><br>
<br>
The attacker, knowing this can create a page to read:<br>
<br>
<img id="onsec" src="<a href="http://example.com/getImage.php?image=myAvatar" target="_blank">http://example.com/getImage.php?image=myAvatar</a>"><br>
<br>
<input type="button" onclick="if (onsec.fileSize> 0) (alert ('authorized<br>
on <a href="http://example.com" target="_blank">example.com</a>') else (alert ('not authorized on <a href="http://example.com" target="_blank">example.com</a>')}"><br>
<br>
Thus, the attacker learns the simplest case, whether the target user<br>
access to <a href="http://example.com" target="_blank">example.com</a>.<br>
<br>
Continuing the theme, I want to note that in some cases, can obtain<br>
additional information from the very values of the size of the picture. It<br>
can be any logical information Web applications, say, the same script can<br>
show administrators a picture of the same size, and users - of another.<br>
Thus, we obtain the user rights. And so on.<br>
<br>
I'd like to return the size of the method is not only "valid" images, but<br>
also HTML pages, JSON, etc. But, unfortunately, does not work. Maybe, of<br>
course, there are exceptions, call to investigate the matter.<br>
<br>
I have some thoughts on the study of vector images in XML format, because<br>
HTML is often valid XML, and then ...<br>
<br>
Check for the test version IE9, but he did not support SVG inside tag<br>
<img>, but only as a separate tag.<br>
<br>
Works in IE8, in Opera 10.52 does not work on check writing, if not<br>
difficult.<br>
<br>
Original at russian language: <a href="http://oxod.ru/?p=113" target="_blank">http://oxod.ru/?p=113</a><br>
<br>
--<br>
Best regards,<br>
Vladimir Vorontsov<br>
ONsec security expert<br>
<br>
_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C<br><a href="http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on">http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on</a><br>
<a href="http://pastebin.com/f6fd606da">http://pastebin.com/f6fd606da</a><br>