exploit the possibilities
Showing 1 - 25 of 29 RSS Feed

Files from Amit Klein

Real NameAmit Klein
Email addressprivate
First Active2004-03-04
Last Active2016-02-11
View User Profile
Node.js HTTP Response Splitting
Posted Feb 11, 2016
Authored by Amit Klein

Node.js suffers from an HTTP response splitting vulnerability. Node.js versions 5.6.0, 4.3.0, 0.12.10, and 0.10.42 contain a fix for this vulnerability.

tags | exploit, web
advisories | CVE-2016-2216
SHA-256 | 4f718c9b8672df70ac27014b0f740610b9cdf5c24f5679eba0497c68bcbe2612
VM Detection Via Browsers
Posted Oct 7, 2015
Authored by Amit Klein

In three browser families researched (Edge, Internet Explorer and Firefox - all on Windows 7 or above), it is possible to extract the frequency of the Windows performance counter, using standard HTML and Javascript. With the Windows performance counter frequency, it is possible to remotely detect some virtual machines and to coarse-grain fingerprint physical machines.

tags | advisory, javascript
systems | windows
SHA-256 | 4f09956b0c7e913f4113cbe7b3f586ad32231df3ccaeb159c817f171faf1bba0
Microsoft IE9 Math.random Vulnerability
Posted Dec 3, 2010
Authored by Amit Klein | Site trusteer.com

The IE9 (platform preview) Javascript Math.random implementation is vulnerable to seed reconstruction. The seed reveals the computer's boot time (and on Windows 7 - also CPU clock speed). These can be used to finger-print computers and track users within the same Windows session even if they close and open their IE9 (platform preview) browser multiple times. Interestingly enough, this technique also provides some information regarding the client hardware (namely clock source and possibly CPU clock speed), and may be used to detect virtualized machines "over the web". Additionally, the Math.random implementation is flawed in such way that it returns non-uniform values (this holds for IE9 beta as well).

tags | advisory, web, javascript
systems | windows
SHA-256 | 45918005ee9131a6395034c2c491000f1e0689d1286fb59db5508b9831387ada
Cross-Domain Information Leakage / Temporary User Tracking In Safari
Posted Nov 23, 2010
Authored by Amit Klein | Site trusteer.com

Apple Safari versions 4.02 through 4.05 and Windows versions 5.0 through 5.0.2 suffer from cross-domain information leakage and temporary user tracking vulnerabilities.

tags | advisory, vulnerability
systems | windows, apple
SHA-256 | abdbde57161cf20c6337e6e980249edada439d02a2ac99f79b10fb57b97e16f8
Cross-Domain Information Leakage In Firefox
Posted Sep 15, 2010
Authored by Amit Klein | Site trusteer.com

Firefox versions 3.6.4 through 3.6.8, 3.5.10 through 3.5.11 and 4.0 Beta1 suffer from a cross-domain information leakage vulnerability.

tags | advisory
advisories | CVE-2010-3171
SHA-256 | 3f9728ea182855f9cdd648fafeb76095e6c17c0b99f95b7f9e956505654788c8
Google Chrome 3.0 Beta Math.random Vulnerability
Posted Sep 2, 2009
Authored by Amit Klein | Site trusteer.com

The revised Google Chrome Math.random algorithm (included in version 3.0 of Google Chrome) is predictable. This paper describes how Google Chrome 3.0 Math.random's internal state can be reconstructed, and how it can be rolled forward and backward, and how (in Windows) the exact seeding time can be extracted.

tags | paper
systems | windows
SHA-256 | 7b9c83dd2e7273c2190b761a57b11ae0110031308ec5b9aabd23733fed32ae97
Temporary User Tracking
Posted Jun 8, 2009
Authored by Amit Klein | Site trusteer.com

Whitepaper called Temporary user tracking in major browsers and Cross-domain information leakage and attacks.

tags | paper
SHA-256 | c853b91a5b34d26501020b3c0cf23e98641c0e342533f5eaa6fa67b926ba5eff
address-spoof.txt
Posted Oct 27, 2008
Authored by Amit Klein | Site trusteer.com

Address Bar Spoofing Attacks Against Microsoft Internet Explorer 6. Due to formatting issues when sent , additional notes regarding the attacks are appended.

tags | paper, spoof
SHA-256 | 0b50cac4814209cbe847736d64513cecbda9d1d2abe27507f6bcd18601973ba7
msswi-blog.txt
Posted Apr 28, 2008
Authored by Amit Klein | Site trusteer.com

It appears that Microsoft may have incorrectly stated a few things regarding MS08-020 on their blog and are reluctant to fix it.

tags | advisory
SHA-256 | 73f9756867890024835effe6ee25eb6c221b87724ce661a953eed30c6217d1e5
Microsoft_Windows_resolver_DNS_cache_poisoning.pdf
Posted Apr 9, 2008
Authored by Amit Klein | Site trusteer.com

This paper shows that Windows DNS stub resolver queries are predictable - i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides very few guesses for the "next" query, thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS client poisoning than the currently known attacks against Windows DNS stub resolver.

tags | paper, udp
systems | windows
SHA-256 | fcbad979678328d35c5f23e8e94a9efb78263e2ea3c4b81d3d339f74542d6222
PowerDNS_recursor_DNS_Cache_Poisoning.pdf
Posted Apr 1, 2008
Authored by Amit Klein | Site trusteer.com

PowerDNS Recursor versions 3.0 through 3.1.4 suffer form a DNS cache poisoning vulnerability.

tags | paper
SHA-256 | 8824d748ef2aaa9c0293a00da6abf363dbb510dbe88dfd97be4f16a4f3450ecf
OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP_ID_Vulnerability.pdf
Posted Feb 6, 2008
Authored by Amit Klein | Site trusteer.com

The paper describes a weakness in the pseudo random number generator (PRNG) in use by OpenBSD, Mac OS X, Mac OS X Server, Darwin, NetBSD, FreeBSD and DragonFlyBSD to produce random DNS transaction IDs (OpenBSD) and random IP fragmentation IDs.

tags | paper
systems | netbsd, freebsd, openbsd, apple, osx
SHA-256 | f4d5a9167d760de1ba2fee62eca09913ff2bc2b3ccd64974ce7df7c989bc49c5
Windows DNS Cache Poisoning Whitepaper
Posted Nov 14, 2007
Authored by Amit Klein | Site trusteer.com

The paper shows that Microsoft Windows DNS Server outgoing queries are predictable, allowing for cache poisoning attacks.

tags | paper
systems | windows
SHA-256 | e6bf106c2809b9fc55bd7e40137aa82ae7c1d6097a707860f8585ff0ea7fd84d
BIND 8 DNS Cache Poisoning Whitepaper
Posted Aug 28, 2007
Authored by Amit Klein | Site trusteer.com

The paper shows that BIND 8 DNS queries are predictable, allowing for cache poisoning attacks.

tags | paper
SHA-256 | bc6ae89b00e4483608728ec54c75abdcb5ec809af078ff38205099b0e7edc9b7
bind9forgery.txt
Posted Jul 25, 2007
Authored by Amit Klein

A new weakness has been discovered in the BIND 9 DNS server that allows for DNS forgery pharming.

tags | paper
SHA-256 | 44a3e16c3aabb202dfe70436a689534e57f1ee76da12e5cc5fc8211474d8919d
HeaderFlash.txt
Posted Aug 27, 2006
Authored by Amit Klein

Formal write up discussing how arbitrary HTTP requests can be crafted using Flash 7/8 with Internet Explorer.

tags | paper, web, arbitrary
SHA-256 | 255a3d2253e2f6988647d919e94f2316e545debac79aa3bd39fd8c4906113f23
flashTheft.txt
Posted Aug 27, 2006
Authored by Amit Klein

By forging HTTP request headers with flash, virtual hosted systems can be susceptible to cookie theft using IE.

tags | advisory, web
SHA-256 | 154ef9bc8fad418a9c6a3409d1cca920cb706549ce6104aa5e4796e74b18ed4a
Forge-Amit.txt
Posted Jul 26, 2006
Authored by Amit Klein

Whitepaper titled "Forging HTTP Request Headers With Flash".

tags | paper, web
SHA-256 | ea05b3536fe449fc3fedd3dda363fbd5f77eefea62b709a6e4e00a23c016c940
httpResponseSmuggle.txt
Posted Feb 25, 2006
Authored by Amit Klein

Whitepaper entitled "HTTP Response Smuggling". It discusses evasion techniques to bypass anti-HTTP response splitting strategies.

tags | paper, web
SHA-256 | ee3a42dce4b4f8bc8c2ae652525c238be609475a31e10db164e4648e1e6a3f2f
xmlhttpRequestpaper.txt
Posted Sep 26, 2005
Authored by Amit Klein

Whitepaper entitled "Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a lot more."

tags | paper, spoof
SHA-256 | f9a2ac7567ed51e0a9e6e4ff4008bf10f202d346e42b74a07fdaa5b5d39e055f
httpsplit.txt
Posted Aug 17, 2005
Authored by Amit Klein

This technical note describes a detection/prevention technique that works in many cases both with HTTP Response Splitting and with HTTP Request Smuggling.

tags | paper, web
SHA-256 | 5ea1e8c04c45276464698ca627370626105e043dcb550f659141545d10bf8160
NTLMhttp.txt
Posted Jul 19, 2005
Authored by Amit Klein

Interesting write up regarding the faulty logic of using NTLM HTTP authentication and how it does not mix well with HTTP proxies.

tags | paper, web
SHA-256 | 90db90511248bba22320ddbf235e0b421d6f0157a947a904209428ca1f742295
022805.txt
Posted Mar 1, 2005
Authored by Amit Klein | Site webappsec.org

This paper describes several techniques for exposing file contents using the site search functionality. It is assumed that a site contains documents which are not visible/accessible to external users. Such documents are typically future PR items, or future security advisories, uploaded to the website beforehand. However, the site is also searchable via an internal search facility, which does have access to those documents, and as such, they are indexed by it not via web crawling, but rather, via direct access to the files. Therein lies the security breach.

tags | paper, web
SHA-256 | 95d07a72940beb4eb7d8ef7e8dce89e68ae8dd623e9569d62e531063c6e241f1
iis5x60.txt
Posted Oct 13, 2004
Authored by Amit Klein, Ory Segal aka Watchfire

Microsoft IIS 5.x and 6.0 suffer from a denial of service vulnerability regarding the WebDAV XML parser. An attacker can craft a malicious WebDAV PROPFIND request, which uses XML attributes in a way that inflicts a denial of service condition on the target machine (IIS web server). The result of this attack is that the XML parser consumes all the CPU resources for a long period of time (from seconds to minutes, depending on the size of the payload).

tags | advisory, web, denial of service
SHA-256 | 86be4f9097197602acfd076c6401bace0c652dc337ac4d228bd232c9ba16c4cb
xercesAmit.txt
Posted Oct 13, 2004
Authored by Amit Klein

Xerces-C++ versions below 2.6.0 allow an attacker to craft a malicious XML document using XML attributes in a way that inflicts a denial of service condition on the target machine.

tags | advisory, denial of service
SHA-256 | c9012b95fb7dbde14a8dac46c6c782e48b7bfc674febf57fecf7c257ea6f7e13
Page 1 of 2
Back12Next

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    5 Files
  • 26
    May 26th
    12 Files
  • 27
    May 27th
    12 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close