Proxy protection NOT used,I can bypass X-Frame-Options
Mark Doliner
mark at kingant.net
Tue Jun 16 12:35:29 EDT 2015
Hi there. Thanks for sharing with us. If I understand correctly, I
think this is probably something that we don't wish to act on.
No matter what checks we put in place it will ALWAYS be possible for a
malicious person to proxy traffic to and from our site. We could
certainly add rudimentary checking that prevents some proxies from
working, but a dedicated person could always craft requests that
exactly mimic a client web browser.
Also there are legitimate uses for proxying that users benefit from.
In my mind the small potential benefit of reduced user harm does not
justify the downsides of blocking proxy traffic.
Thanks,
Mark Doliner
On Tue, Jun 16, 2015 at 12:54 AM, <ashesh1708 at gmail.com> wrote:
> Proxy protection NOT used , i can bypass X-Frame-Options
>
> I see that you don't have a reverse proxy protection this allows all users
> to proxy your website rather than iframe it. They use use it for
>
> + Phishing
> + Tricking First-time Coinabase uses that (fake website) is original website
> + Debug pidgin.im (see all request an response make on fake website)
>
> **Exploit**
>
> 1. I will create a fake website which closely matches your domain or any
> other confusing domain.
> 2. I will post on many forums that "pidgin.im is best" etc. with my fake
> website link (better to use URl shortner!)
> 3. He will visit here and signup
> 4. As I have made that proxy, I can see all request made on them thus ,
> Passwords Also!
> 5. I will hack him.
>
>>NOTE: When he clicks on confirmation link in his email , He is redirected
>> to ORIGNAL website but I will get his password and username and I would
>> login with the username and password i have , on original website.
>
>
> How Facebook Handles it (Amazing Protection):
> http://i.gyazo.com/1ca03e64dac455f24d0ac1c4a59218e4.png (
> https://translate.google.com/translate?hl=en&sl=auto&tl=zu&u=facebook.com )
>
> How your webiste handles it :( ->
> https://translate.google.com/translate?hl=en&sl=auto&tl=zu&u=pidgin.im
>
> AN attacker can remove the Translate interface to make the webiste look
> real, contact me if you want a demo of that.
> **POC**
> I have attached a complete video with POC.
>
> POC URL:
> https://translate.google.com/translate?hl=en&sl=auto&tl=zu&u=pidgin.im `try
> submitting real login data (of test account) You'll get logged in!`
>
>
> **FIX**
>
> Here is the code that I use for stopping 100% of these types of sites:
>
>
> RewriteEngine on
> RewriteCond %{HTTP:VIA} !^$ [OR]
> RewriteCond %{HTTP:FORWARDED} !^$ [OR]
> RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
> RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
> RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
> RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
> RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
> RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
> RewriteRule ^(.*)$ - [F]
>
>
> To use this code, copy & paste into your site’s root `.htaccess` file.
> Upload to your server, and test its effectiveness ! It is perfect and
> compared to blacklisting a million sites of this kind, it’s lightweight,
> concise, and very effective.
>
>
> DATE: 16/06/2015
> HOUR: 07:54:26 am
> IP: 127.6.47.129
>
>
> _______________________________________________
> security mailing list
> security at pidgin.im
> https://pidgin.im/cgi-bin/mailman/listinfo/security
More information about the security
mailing list