XSS browser JS execution with website accessed though iFrame Proxy solution
Question
I've a question on XSS on a website accessed through a iframe proxy solution...bypassing corporate proxy and executing code in browser's victim.
This is in a security test process.
I'm on a LAN of a company, which use a corporate proxy (obviously), [ named corporate.proxy below ]
To illustrate security phishing campains and XSS I need to find a way to illustrate lack of security filtering from the proxy part (I know the vuln need to be corrected on server side, but as a company you don't always choose which websites your users go.. :)
I put a php proxy to navigate in an iFrame on my server outside, on the internet, [ named my.outsideserver.com below ] (somethink like miniproxy ). The url of my miniproxy is in my test: h**p://my.outsideserver.com/miniproxy.php
If a traditionnaly blocked webpage (youpr0n) is accessed this time, by going from internal to this URL: h**p://my.outsideserver.com/miniproxy.php?url=youpr0n.com ==> I Access the website...
Now my question: If a website is vulnerable to XSS [ named xss.vulnwebsite.com below ] here: h**p://xss.vulnwebsite.com?q= NB: Imagine website is youpr0n..
I can create a link like this : h* p://my.outsideserver.com/miniproxy.php?url=h *p://xss.vulnwebsite.com?q=
and send this link to a company's victim in a Phishing campain. If the victim click on the link, i see there 2 vulnerabilities :
1) First one is the proxy filtering bypass ---> The user from company go on a website which is normally blocked and now accessible..
2) The real website (youpr0n) has a xss, and leveraging this xss code is executed in the victim's browser. NB: I know because of Same Origin Policy, the content loaded in an iFrame won't be able (if vuln to xss) to be read...but..
Here's my question, the code is executed in the victim's browser.. The SOP (Same Origin Policy) will protect any user to read by the attacker, the content on youpr0n (his sessions cookies eg), but NOT protect it's browser !!
If i send this link: h* p://my.outsideserver.com/miniproxy.php?url=h *p://xss.vulnwebsite.com?q=alert(1) I successfully see the popup displaying "1" in my browser. At the moment, the only browser protection is the browser's XSS filtering mechanism (?). Corporate proxy mechanisms are bypassed (correct ? /0)
- What do you think about all of that. It's crap i'm sure (or not) don't blame me...
- What are the mitigations (except telling users not to click shit..) for corporate proxies... are there dynamic security content filtering solutions working.... ?
My point is is to illustrate the risks , imagine I send phishing links by mail spaming thousands of corporate users. The email subject is "Access Any website from your Company" by using our free proxy mechanism... You can see pr0n at work !!!!!
Then users will surely click on link (I would) :D
Thanks for your answers : Do you agree that code can be executed in victim's browser. Do you agree on the proxy filtering bypass ? What are solutions (for the company...)
1 answers
solution1
0 2013-01-10 17:43:29
A proxy like Miniproxy is acting as an HTTP client and displaying HTTP responses on http://my.outsideserver.com/miniproxy.php , the SOP is enforced by the browser. There for the browser treats all JavaScript displayed on http://my.outsideserver.com/miniproxy.php as originating from that source, regardless of where the miniproxy is obtaining the content.
In short, this is not an SOP abuse. Corporate firewalls are easy to bypass, but that is well known.
I recommend picking up a copy of "A tangled web" and reading the Google Browser Security Handbook .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.