Arshan over at Aspect posted something that sounds very familiar indeed over on his blog. Disclaimer: I know this isn’t earth-shattering now when the sandbox isn’t there, but I think it’s cool that using image tags we can create a completely covert channel for bypassing the same origin policy and control browsers remotely. Just to be clear, this is not a traditional same-origin bypass where we’re on http://evil.com/ and we’re talking to http://mybank.com/. We’re talking about a hijacked client who’s in collusion with an evil server that wants to deliver the client some message, be it a code payload, instructions, etc. Can we restrict JavaScript from dynamically loading image tags? No more image pre-loading? I doubt it! Here’s how it works. * Client dynamically creates an Image() and points the source to http://evil.com/evil.cgi?password=somesecret * Server responds with an image that has a 16 pixels tall and 1 pixel wide (16 represents in this phase the total length of the payload) * Client then starts a loop that iterates 16/2 times: o Client dynamically creates a new Image() and points the source to http://evil.com/evil.cgi?password=somesecret&i= o The new image that has height x, width y o Client appends ASCII character value of x onto payload string o Client appends ASCII character value of y onto payload string * Client now has authenticated, 16-length payload to do whatever they want with
Hehe. I was wondering when someone would talk about this! John Terrill and I looked at this back late 2006, early 2007 and took this alittle further than Arshan did. Here is what we came up with: The carry capacity of a side channel is an important factor. Arshan's solution is not very good because of the limited capacity. How can we use dimenstions as a side channel and not have to send tens of kilobytes to transer a few bytes of data in the side channel? Thats the "$1,000,000 and a Monster Truck" question which started John and I researching. Lets take GIF images. According to the spec, length and width are 16 bit integers, giving us 4 bytes of data. However if I need to send 0xFFFFFFFF it would suck to have to transmit an image that is 65535x65535. That would be huge. But GIFs are compressed right? Remember that JavaScript cannot access pixel data of the Image objects it creates, so we really don't care about whats in this picture. What if we make it all white? That should compress well. While it does, you are still sending ... [ Read More (0.5k in body) ] |