|
|
|
|
|
|
by nkassis
5782 days ago
|
|
|
Wait where does it state he he gained access to router? You can get the mac address of your router with sending a http request to it. Mine states it on the homepage. Doesn't mean you can change anything on there. What I'd like to know is how he manages to send this request, javascript origination policy should be blocking this. EDIT: I was referring to the original article, schneier has a point, if the users has the default password set then yes he can login, but how is that even possible on most browsers today which prevents you from sending ajax request to anything but the original server? EDIT2: Just tried it and got a error from chrome:
400 Bad Request
Cross Site Action detected! |
|
|
He's using an XSS vulnerability in the router admin interface to execute JavaScript on the router's pages, so he can use JavaScript to do pretty much anything the user can do.
But even without an XSS exploit you can make cross-domain POSTs using forms, and GETs using IMG or SCRIPT tags. You just can't get the response, so it's not suitable for this attack where you need to get the MAC address out.
The "Drive-by Pharming" mentioned in the link I posted used the latter technique, because all it needs to do is POST some form that tells the router to update the DNS settings, it doesn't need the response.
He actually mentioned that technique in the video, but sort of glossed over it (right before "now, this isn't necessary in our geolocation XXXSS attack")