InternetExplorer SSL Popup

["Richard Maudsley" <r_i_c_h_lists () btopenworld com>]

Hi,

I'm investigating xss issues on ssl servers.

When I inject
<script>window.open("javascript.writeln('test')")</script>
into the page i see some strange things...

Mozzila's (FireFox) new instance shows no relationship with the original
page from which the window was opened. However, Internet Explorer decides
that the new window also belongs to that server and includes the lovely SSL
padlock icon in the status bar. Double clicking this icon (accessing the
securuty report for that domain) shows an message stating; "This type of
document does not have a  security certificate", lovely.

This makes phishing a breeze, I can render a brand new page inside an
apparently secure browser window!

How are XSS vulns exploited in the wild? Bulk mail with the poisoned link?
How is bad html/script be crafted into the original vulnerable page to make
it look legitimate?

-Rich

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html