Comments on: SUN Fixes GIFARs

By: 10 tecnicas de hacking web: « Hackerpedia.

10 tecnicas de hacking web: « Hackerpedia. — Thu, 14 Apr 2011 11:21:17 +0000

[...] 1. GIFAR (Billy Rios, Nathan McFeters, Rob Carter, and John Heasman) [...]

By: Alain

Alain — Fri, 13 Nov 2009 09:32:59 +0000

You suggest that web sites use a throw-away domain for user uploaded content.

However, this won’t help for exactly the same reason that it didn’t help in your google example: the malicious user would just use the same conn.setRequestProperty(“Host”, “realdomain.victim.com”); hack that you used in your example.

So, rather than needing only a throw-away domain, you’d actually need a throw-away server or a least a throw-away IP. Which is lots harder to come by for small website operators.

And it is the conn.setRequestProperty hack that make this a java bug rather than a website bug. Indeed, conceivably the same hack could be used without any cross-site-scripting vulnerability or chimera file by customers of a virtual hosting service who wish to attack other customers of the same service.

By: Dave

Dave — Thu, 15 Oct 2009 06:34:44 +0000

Nice to see everyone saying “NICE POST” when they really have no clue of what your talking about.

By: Smitha

Smitha — Mon, 25 May 2009 20:07:38 +0000

Hi Billy,

I am student from Penn State working on a project related to some issues in Web 2.0. We were researching this issue and when we tried the patch by Sun (we installed the latest version of Java and updated our JRE) , we found that we could still run Gifars. Could you please shed some light on why this could happen.
It would also be great if you could give us some insight into how the patch by Sun works to fix this issue

Thanks,
Smitha

By: Top 10 técnicas Web Hacking del 2008 | CyberHades

Top 10 técnicas Web Hacking del 2008 | CyberHades — Mon, 23 Feb 2009 18:36:09 +0000

[...] GIFAR (Billy Rios, Nathan McFeters, Rob Carter, and John [...]

By: Inferno

Inferno — Mon, 26 Jan 2009 03:54:45 +0000

Hi Billy,

I have found another server side fix for the GIFAR issue and also referenced this article at my blog
http://securethoughts.com/?p=35.

Thanks,
Inferno

By: Easy Server Side Fix for the GIFAR security issue « SecureThoughts.com - Inferno's Blog on Application Security

Sat, 24 Jan 2009 22:59:19 +0000

[...] GIFAR issue was found by security researchers Billy Rios and Nate Mcfeters. To summarize the exploit, an [...]

By: rajat swarup

rajat swarup — Thu, 15 Jan 2009 01:21:20 +0000

As usual awesome stuff man! Reminds me the same situation where the mismatch between proxies and web servers to use different “Content-Length” headers when more than one content-length header was specified to perform cache poisioning attacks. Just that in this case there’s a mismatch between JVM (client side plugin) and the web app in what they consider a valid HTTP request!

By: kapp

kapp — Tue, 23 Dec 2008 06:29:35 +0000

dude awesome xplanation on GIFAR…really liked the post!!

By: links for 2008-12-17 (Jarrett House North)

links for 2008-12-17 (Jarrett House North) — Thu, 18 Dec 2008 02:01:10 +0000

[...] SUN Fixes GIFARs (Billy (BK) Rios) More documentation on how the blended GIF + JAR (GIFAR) attack worked, and some thoughts on mitigating it. In particular, I like the idea of having a separate domain to store user contributed content. (tags: security java gifar) [...]