Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Bypassing javascript filters - problem N3.
From: fozzy () dmpfrance com
Date: Tue, 02 Apr 2002 15:48:23 GMT

Hello,

I took a quick look at it. This service seems to be vulnerable to several
known attacks against webmails.
I successfully injected unfiltered javascript into a web page browsed
through Anonymizer using:

* <img aaa="bbb>" src="javascript:alert('beep');">  
(the original idea was published by Mark Slemko on vuln-dev, 23 Feb 2000...
but is still ignored on many webmails !)

* <P STYLE="left:expression(eval('alert(\'boop\')'))">  (thx to Guninski -
Bugtraq 1999)

* Some things that seems to work only with Netscape 4.x, like :
<STYLE TYPE="text/javascript">alert('biip');</style>
<STYLE TYPE="application/x-javascript">alert('burp');</style>
<LINK REL=STYLESHEET TYPE="text/javascript" SRC="http://.../script.js";>
(thx to Jeremiah Grossman - WhiteHatSec Aug 2001)

...and probably more !...

I wish good luck to Anonymizer, because I what they are trying to do is
very close to "malicious html filtering" in webmails, and it seems to be
really difficult for webmails site to setup good filters. I wish Anonymizer
will show the way to a good web privacy.

FozZy

Hackademy - Paris.
Hackerz Voice International Edition
http://www.dmpfrance.com

Alexander K. Yezhov écrit:


Hello bugtraq,

  Title: Bypassing JavaScript filters
  Service: Anonymizer, maybe similar services

  Description:

  Anonymizer  offers free and commercial services that allow to browse
  web safely. Since JavaScript can be dangerous, all script blocks and
  events are cut from html.

  Problem N3:

  Maybe  you  remember  the problem I've reported in 2001 - JavaScript
  code  could  be  executed  after parsing the html by Anonymizer. The
  same principle of "JavaScript inside JavaScript" gave me the working
  example of redirecting Anonymizer users recently.

  Demo is available as Test N3 at
  http://anon.free.anonymizer.com/http://tools-on.net/you.shtml

  The part of the code before parsing:

  onLoad="onLoad="document.cookie='rw=; expires=Thu, 01-Jan-1970
  onLoad="location='unprotected_location';"

  The same code after parsing:

  onLoad="location='unprotected_location';"
  
  Errors  generated  for visitors without Anonymizer are suppressed by
  window.onError handler.

  Problem status:
  
  Anonymizer has been contacted and patched already.

Best regards, Alexander                          

-----------------------------------------------------------------------
         MCP+I, MCSE on Windows NT 4, MCSE on Windows 2000
  http://leader.ru http://tools-on.net (Security & Privacy on the Net)
-----------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]