Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Global *.net XSS, thank you Verisign(TM)

From: Scott Manley <djsnm () djsnm com>
Date: Tue, 16 Sep 2003 11:17:20 -0700
Richard M. Smith wrote:

VeriSign should fix their bug, but I don't see the danger of a
cross-site scripting error at a non-existent domain.  The scripting code
can't really do anything at the Web site........
Indeed, but it is exploitable in some cases where the user is using an http proxy, since there are 2 url parsers involved. If anyone remembers the rather neat Analog-X/IE Global XSS you can probably find the same issue with almost any proxy.
I've not tested, but.... the Analog-X URL parser looks for a ':' or a '\' as a terminator for the domain name, while IE looks for any character which isn't part of a legal domain name. 

So you can get cookies from *any* domain by doing things like

http://www.msn.com";alert('slut');".net
In theory IE parses this to the msn.com domain and the proxy parses this to the www.msn.com";alert('slut');".net domain.
Again - it all depends on the proxy and the browser disagreeing on the URL parsing. 

Scott Manley

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: