<<< Date Index >>>     <<< Thread Index >>>

Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

Guy Podjarny wrote:

Another similar option is to use a single-use random value (not
encrypted), that gets invalidated after it's served back. 
You can save the random value on the (non persistent) session
(server-side), and serve the PDF only if the correct random value is
provided. Once a random value has been used, it's cleared (single-use). 
In any case where the wrong value is provided - recreate a random value,
save it on the session, and redirect to the PDF with it (same behavior
as when the token isn't provided at all).


Here's an attack against this scheme:

Attacker sends the user a link to http://www.attacker.site/script.cgi
When the user requests http://www.attacker.site/script.cgi, the script.cgi requests file.pdf from vuln.site. It gets back a redirection URL and a session cookie. Then, it creates a Flash object that requests the URL with an injected Cookie header (with the session cookie) and serves this to the victim client. Voila.