Advanced web application attacks

In 2003-2008 I researched advanced topics in web application security. Here are some favorite results:

Address bar spoofing for IE6, October 2008

CVE-2008-4787, CVE-2008-4788

A Refreshing Look at Redirection (educational write-up), November 2006

Sending arbitrary HTTP requests with Flash 7/8 (+IE 6.0), August 2006

Under some conditions, it's possible to steal HTTP credentials using Flash, August 2006

Forging HTTP request headers with Flash, July 2006

Errata (July 26th, 2006):

A reader going by the nickname "xeek" pointed out to me that
the examples in the paper making use of the HTTP GET request
do not work as-is (thanks xeek!). After looking at the matter,
I realized that I made a silly mistake. In my research, I
toyed with the LoadVars.send() method with 2 arguments
(url and target window), and had Flash automatically
select the appropriate methd (GET if empty body, POST if
non-empty body). The exploit works fine this way. When I
documented my findings, I decided to explicitly add the HTTP
method, to clarify the write-up. BIG mistake - turns out
that in such case, Flash doesn't send the headers if GET is
used (sounds like a bug...). And pity I didn't verify the exact
code I used in the write-up...

Anyway, to summarize - there's a mistake in the document,
and it's easily fixed. In each GET example, simply remove
the explicit method (i.e. delete all instances of ,"GET" in
the write-up). For example (the first example in the paper):

[...]
req.send("http://www.vuln.site/some/page.cgi?p1=v1&p2=v2",
"_blank");

This works as advertised, and as also verified by xeek.

IE + some popular forward proxy servers = XSS, defacement (browser cache poisoning), May 2006

Path Insecurity, March 2006

HTTP Response Smuggling, February 2006

Domain Contamination, February 2006

XST Strikes Back, January 2006

Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a lot more..., September 2005

CVE-2005-4827

Detecting and Preventing HTTP Response Splitting and HTTP Request Smuggling Attacks at the TCP Level, August 2005

NTLM HTTP Authentication is Insecure by Design, July 2005

DOM Based Cross Site Scripting, July 2005

Meanwhile, on the other side of the web server, June 2005

HTTP Request Smuggling (with Chaim Linhart, Ory Segal and Steve Orrin), June 2005

CVE-2005-2088, CVE-2005-2090, Bugtraq ID 13873, Bugtraq ID 14106

Errata (Septermber 22nd, 2005):

Noam Ben-Yochanan commented that IIS/5.x provides with the programmer with a way to consume the request body (beyond the 48K usually read), thus disabling the HTTP Request Smuggling
caused by this anomaly. Noam sent me a link that explains this:

Microsoft Knowledge Base article #810957: http://support.microsoft.com/default.aspx?scid=kb;en-us;810957

The short story is that IIS reads the body in buffers of 48KB (the default
value of UploadReadAheadSize in the MetaBase registry). It probably always reads
the first buffer.
Now, the HTTP Request Smuggling trick works by sending any Content-Type
OTHER THAN application/x-www-form-urlencoded. This means that IIS has nobody parsing
the data and consuming more data, so it stops reading after those 48K, and whatever
comes next is considered the next request (while MS says it is "by design", in my
opinion this is still a bug, and with security implications).

Full discussion here.

The Insecure Indexing Vulnerability - Attacks Against Local Search Engines, February 2005

Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Other Topics, March 2004

An advisory against Microsoft Outlook Web Access (OWA) for Exchange 5.5 was published on August 11th, 2004: CVE-2004-0203, Microsoft Security Bulletin MS04-026, CERT Vulnerability Note VU#948750.

XS(T) attack variants which can, in some cases, eliminate the need for TRACE, January 2003