Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Cross-Site Request Forgery (CSRF) is a somewhat dying bug in the age of modern browsers. However, if found, the attack is quite devastating, as a single click can force actions to be performed as that user.

This exploit is only possible on Google PDF products on Internet Explorer. The reason why? Content-Sniffing! This is the practice of inspecting request data to deduce the ACTUAL file format, even if a specific Content-Type is specified.

Why is this a security issue? Well, what would happen if a text file could be converted into an HTML document when being loaded back? The HTML would execute, even though it was just a text file.

In previous research is was shown that PDFs support a language called formcalc which can execute GET, POST and PUT commands. Why is this a big deal? Well, if they can upload PDF's, a user can create makes requests on an origins website using formcalc.

This particular MIME sniffing attack can be used in order to trick I.E. into thinking that any URL is a PDF. This is a big deal because is bypasses the Same Origin Policy (SOP), allowing us to run requests (on the hosting domain) from the previous research done.

To perform this attack, attach ;.pdf to the end a URL and have some PDF-looking content within the request. Using this, it is possible to make arbitrary requests in the users browser, on the hosting domain. The new piece of research here is adding the MIME sniffing attack to the PDF SOP bypass, making this MUCH more exploitable.

From the research, the most common place for this vulnerability was on CSV export/import functionality. Although this only affected IE and several clicks were required, Google paid out 30K!

Slightly confused on this (the article is not the best explained article) so feel free to reach out to correct any wrong parts of this post. Thanks!