Re: Reverse Proxy Cross Site Scripting

To: bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, Shalom Carmel <shalom@xxxxxxxxxx>
Subject: Re: Reverse Proxy Cross Site Scripting
From: "Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>
Date: Tue, 17 Jan 2006 10:13:40 +0200
In-reply-to: <004a01c619c1$6f205410$2501000a@xxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Priority: normal

Hi

Please see my comment below,

Thanks,
-Amit

On 15 Jan 2006 at 12:49, Shalom Carmel wrote:

>            A Mini-paper
>           Reverse Proxy Cross Site Scripting
> 
> Author: Shalom Carmel
> Date: January 13, 2005
> 

[...]

> 
> The attacker site is called http://www.victim.com.victin.com
> The attacker's apache server is configured to serve html documents from
> directory /xss , and has the following reverse proxy definitions:
> 
> ProxyPass / http://www.victim.com/
> ProxyPassReverse / http://www.victim.com/
> 

[...]

> When someone accesses the address
> http://www.victim.com.victin.com/xss/x_page.html
> the browser will load the page from the attacked web site and attempt to
> access
> its contents. While the loading will succeed, the access wil fail.
> 
> However, when the attacking page is modified to refer to the proxy relay,
> 
> <iframe name="win1111" id="win1111" src="/v_page.html">
> 
> This time, the script will not fail. It will enable the attacker to access
> and modify the contents of the victim web site.

As far as my understanding goes, this is NOT a cross site scripting. The 
browser fetches 
the URL http://www.victim.com.victin.com/v_page.html, so it's still in the 
www.victim.com.victin.com site (it has not CROSSED to the www.victim.com 
site!). This is an 
important distinction. The x_page.html does indeed have access to the frame, 
and that's 
because the frame is in the same site (from the browser's perspective) - 
www.victim.com.victin.com. the browser will not allow x_page (or v_page!) to 
access any 
content from www.victim.com (again, from the browser's perspective!), such as 
cookies, 
URLs, etc. 

What you do have here is a man-in-the-middle attack. That is, you lured the 
client to 
browse to your server (www.victim.com.victin.com), which is a proxy for 
www.victim.com. 
This is a well known attack (e.g. http://www.schneier.com/essay-083.html), and 
you can 
implement it more elegantly by not doing anything at the client side, just 
monitor (and 
possibly modify) the HTTP requests/responses through Apache hooks, all at the 
server side.

To summarize: MITM <> XSS. With MITM, the browser will see original content 
from 
www.victim.com, but it will not associate it with www.victim.com, but rather, 
to 
www.victim.com.victin.com. Two different domains (from the browser's 
perspective). So (for 
example) you may be able to lure the client to login to this fake site (and 
record the 
credentials on the way). On the other hand, if (say) the client is already 
logged in to the 
real www.victim.com (in another window), you won't be able to access his/her 
credentials. 
With XSS, you will be able to access those credentials.

Hope that clarifies things.

References:
- Reverse Proxy Cross Site Scripting
  - From: Shalom Carmel

Prev by Date: ERRATA: [ GLSA 200601-09 ] Wine: Windows Metafile SETABORTPROC vulnerability
Next by Date: XSS in WBNews < = v1.1.0
Previous by thread: Reverse Proxy Cross Site Scripting
Next by thread: [eVuln] Benders Calendar SQL Injection
Index(es):
- Date
- Thread