Full Disclosure mailing list archives
Re: Opera/Konqueror: data: URL scheme address bar spoofing
From: "Martin Aberastegue" <xyborg () gmail com>
Date: Sat, 14 Jul 2007 02:44:56 -0500
Hi Robert, it works for me on Opera 9.21 (8776) WXP SP2. I was trying to do the same with firefox and it seems to works too.. but you get the "data:text/html" on the beginning of the URL. here you have a PoC for FF, it works on a 2.0.0.4 version http://www.rzw.com.ar/ff_URL_spoofing.html On 7/14/07, Martin Aberastegue <xyborg () gmail com> wrote:
Hi Robert, it works for me on Opera 9.21 (8776) WXP SP2. I was trying to do the same with firefox and it seems to works too.. but you get the "data:text/html" on the beginning of the URL. here you have a PoC for FF, it works on a 2.0.0.4 version http://www.rzw.com.ar/ff_URL_spoofing.html On 7/13/07, Robert Swiecki <jagger () swiecki net> wrote:With a specially crafted web page, an attacker can redirect a www browser to the page, which URL (in the url bar) resembles an arbitrary domain choosen by the attacker. It's possible due to the fact, that some web browsers incorrectly display contents of the url bar while rendering pages based on the 'data:' URL scheme (RFC 2397). Only the ending of the URL is displayed. Padding the URL with whitespaces allows an attacker to insert an arbitrary content into the browser url bar. http://alt.swiecki.net/oper1.html Tested with: * Opera 9.21 on Win 2003SE and Win XPSP2 * Opera 9.21 on Linux * Konqueror 3.5.7 on Linux Pictures taken on my systems (using 1024x768 dekstop resolution) http://alt.swiecki.net/operalin.png http://alt.swiecki.net/operawin.png http://alt.swiecki.net/konq.png Successfull attack depends on the proper construction of the 'data:' URL. An algorithm could utilize JS document.body.clientWidth/Height properties to calculate the best url padding for the given browser. PS. Sometimes Opera web browser displays the beggining of the 'data:' URL (correct behaviour), e.g. during browser startup with immediate redirect to the last visited page. -- Robert Swiecki _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- Martin Aberastegue http://www.rzw.com.ar
-- Martin Aberastegue http://www.rzw.com.ar _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Opera/Konqueror: data: URL scheme address bar spoofing Robert Swiecki (Jul 13)
- Message not available
- Re: Opera/Konqueror: data: URL scheme address bar spoofing Martin Aberastegue (Jul 14)
- Re: Opera/Konqueror: data: URL scheme address bar spoofing Nick FitzGerald (Jul 14)
- Re: Opera/Konqueror: data: URL scheme address bar spoofing Martin Aberastegue (Jul 14)
- Re: Opera/Konqueror: data: URL scheme address bar spoofing Martin Aberastegue (Jul 14)
- Message not available
- Re: Opera/Konqueror: data: URL scheme address bar spoofing Andrew Redman (Jul 15)
- <Possible follow-ups>
- Re: Opera/Konqueror: data: URL scheme address bar spoofing Harri Porten (Jul 15)