Full Disclosure mailing list archives
Re: Global *.net XSS, thank you Verisign(TM)
From: Scott Manley <djsnm () djsnm com>
Date: Tue, 16 Sep 2003 11:17:20 -0700
Richard M. Smith wrote:
VeriSign should fix their bug, but I don't see the danger of a cross-site scripting error at a non-existent domain. The scripting code can't really do anything at the Web site........
Indeed, but it is exploitable in some cases where the user is using an http proxy, since there are 2 url parsers involved. If anyone remembers the rather neat Analog-X/IE Global XSS you can probably find the same issue with almost any proxy.
I've not tested, but.... the Analog-X URL parser looks for a ':' or a '\' as a terminator for the domain name, while IE looks for any character which isn't part of a legal domain name.
So you can get cookies from *any* domain by doing things like http://www.msn.com";alert('slut');".netIn theory IE parses this to the msn.com domain and the proxy parses this to the www.msn.com";alert('slut');".net domain.
Again - it all depends on the proxy and the browser disagreeing on the URL parsing.
Scott Manley _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Global *.net XSS, thank you Verisign(TM) xss_slut (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) Jedi/Sector One (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) James Greenhalgh (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) Paul Holman (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) J.A. Terranson (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) morning_wood (Sep 18)
- Re: Global *.net XSS, thank you Verisign(TM) Marc Slemko (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) morning_wood (Sep 18)
- RE: Global *.net XSS, thank you Verisign(TM) Richard M. Smith (Sep 16)
- RE: Global *.net XSS, thank you Verisign(TM) tadpole-boy (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) Scott Manley (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) Jedi/Sector One (Sep 16)