Create an Account
username: password:
 
  MemeStreams Logo

Curiouser and Curiouser

search

Acidus
Picture of Acidus
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Acidus's topics
Arts
Business
Games
Health and Wellness
Home and Garden
Miscellaneous
Current Events
Recreation
Local Information
Science
Society
Sports
Technology

support us

Get MemeStreams Stuff!


 
I am a hacker and you are afraid and that makes you more dangerous than I ever could be.

Using Image Dimensions as a side channel
Topic: Technology 1:16 pm EST, Feb 14, 2008

Arshan over at Aspect posted something that sounds very familiar indeed over on his blog.

Disclaimer: I know this isn’t earth-shattering now when the sandbox isn’t there, but I think it’s cool that using image tags we can create a completely covert channel for bypassing the same origin policy and control browsers remotely. Just to be clear, this is not a traditional same-origin bypass where we’re on http://evil.com/ and we’re talking to http://mybank.com/. We’re talking about a hijacked client who’s in collusion with an evil server that wants to deliver the client some message, be it a code payload, instructions, etc. Can we restrict JavaScript from dynamically loading image tags? No more image pre-loading? I doubt it!

Here’s how it works.

* Client dynamically creates an Image() and points the source to http://evil.com/evil.cgi?password=somesecret
* Server responds with an image that has a 16 pixels tall and 1 pixel wide (16 represents in this phase the total length of the payload)
* Client then starts a loop that iterates 16/2 times:
o Client dynamically creates a new Image() and points the source to http://evil.com/evil.cgi?password=somesecret&i=
o The new image that has height x, width y
o Client appends ASCII character value of x onto payload string
o Client appends ASCII character value of y onto payload string
* Client now has authenticated, 16-length payload to do whatever they want with

Hehe. I was wondering when someone would talk about this! John Terrill and I looked at this back late 2006, early 2007 and took this alittle further than Arshan did. Here is what we came up with:

The carry capacity of a side channel is an important factor. Arshan's solution is not very good because of the limited capacity. How can we use dimenstions as a side channel and not have to send tens of kilobytes to transer a few bytes of data in the side channel? Thats the "$1,000,000 and a Monster Truck" question which started John and I researching.

Lets take GIF images. According to the spec, length and width are 16 bit integers, giving us 4 bytes of data. However if I need to send 0xFFFFFFFF it would suck to have to transmit an image that is 65535x65535. That would be huge. But GIFs are compressed right? Remember that JavaScript cannot access pixel data of the Image objects it creates, so we really don't care about whats in this picture. What if we make it all white? That should compress well. While it does, you are still sending ... [ Read More (0.5k in body) ]

Using Image Dimensions as a side channel


YouTube - Honda Element Ad (Crab & Pig)
Topic: Miscellaneous 11:21 am EST, Feb 12, 2008

Surreal.

YouTube - Honda Element Ad (Crab & Pig)


Taxi to the Dark Side
Topic: Current Events 11:30 pm EST, Feb  9, 2008

Put people in a crazy situation and people do crazy things

You have no right to a lawyer
you have no right to witnesses
You don't really know what the charges are
And you certainly don't know what the secret evidence is against you

Its not about left or right, its about right and wrong

This is playing in Atlanta at The Landmark

Taxi to the Dark Side


xkr.us / javascript / escape(), encodeURI(), encodeURIComponent()
Topic: Miscellaneous 11:27 pm EST, Feb  9, 2008

The purpose of this article is to examine the differences between these three methods and decide on the appropriate times to use each.

Handy.

xkr.us / javascript / escape(), encodeURI(), encodeURIComponent()


HP Aims To Improve Software Management -- Hewlett-Packard -- InformationWeek
Topic: Miscellaneous 4:53 pm EST, Feb  6, 2008

Nine out of the world's top 11 security hackers came to HP through the SPI Dynamics acquisition, he boasts, although it's not immediately clear who ranked those top 11.

Just in case the world missed the memo.

... ... [sigh] I can't even think of what to say about this. Expressing oneself through charts is a good idea.

HP Aims To Improve Software Management -- Hewlett-Packard -- InformationWeek


The unsettling calm
Topic: Miscellaneous 3:51 pm EST, Feb  6, 2008

There is an electric and unsettling calm after you compose certain kinds of emails and then you click "send."


Pickles + FedEx = teh Awesome!!!111
Topic: Miscellaneous 12:37 pm EST, Feb  5, 2008

After we wrote the book, Addison Wesley sent Bryan and I some pre-paid FedEx envelopes so we could send signed copies of the book to the reviewers and editors. Our pal Vinnie Liu was a reviewer but he had already come by our offices in Atlanta where he received his signed copy.

This presented Caleb and I with a very interesting situation: We had a prepaid and pre-addressed FedEx envelope for Vinnie and nothing legitimate that we needed to send him.

What to do, what to do?

So we cut out the tracking number, cut out the return address, and we sent him a giant pickle.

No message. No Explanation. Just Pickle.

Beware friends beware. The pickle wars have begun!

Pickles + FedEx = teh Awesome!!!111


Sorry, this page requires a crappy out of date browser
Topic: Miscellaneous 11:51 am EST, Feb  5, 2008

Sorry, this page must be viewed by Internet Explorer 3.0 or greater.

Your current browser ( Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11) is not supported.

Are you kidding me? Its 2008, and you are giving me IE3+ messages? ...[grits teeth] ... ... [head explodes]

Sorry, this page requires a crappy out of date browser


provos.pdf (application/pdf Object)
Topic: Miscellaneous 11:27 am EST, Feb  5, 2008

Excellent paper

provos.pdf (application/pdf Object)


'SideJacking' is fucking retarded.
Topic: Technology 4:05 pm EST, Feb  4, 2008

[sigh]

...

This whole "SideJacking" meme is especially annoying and amusing to me. I've had people contact me (neither Robert or Dave, mainly reporters and non-web infosec guys) asking my opionion on this dangerous attack. These are the same people have also said to me in the past that XSS isn't interesting because its just cookie theft and thats not very sexy.

...

SIDE JACKING IS COOKIE THEFT YOU JACKASS! [SMACK]

Why the hell are we still talking about this?

'SideJacking' is fucking retarded.


(Last) Newer << 40 ++ 50 - 51 - 52 - 53 - 54 - 55 - 56 - 57 - 58 ++ 68 >> Older (First)
 
 
Powered By Industrial Memetics
RSS2.0