CSS before redirect

[Stephen de Vries <stephen.devries () dcode net>]

Hi all,

I'm looking at an application that seems to be vulnerable to CSS attack,
however, the browser keeps following the redirect before running the
script.  The request:

GET /includes?"></a><script>alert('hello')</script> HTTP/1.1

Results in the following response:

HTTP/1.1 302 Object Moved
Location: https://somwhereelse.com
Server: Microsoft-IIS/4.0
Content-Type: text/html
Content-Length: 123

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a
HREF="https://somewhereelse.com/includes/?";></a><script>alert('hello')</script>">here</a>

The CSS injection looks as though it should work, if the browser just
displayed that page, but instead it acts on the redirect immediately
before displaying the page.  This happens in both Mozilla 1.4 and IE 6.
Do you think this represents a security risk ?  Do older browsers behave
in the same way ?  Is it possible to turn this behaviour off ?  Does
cologne make the man ?


cheers,

Stephen