mailing list archives
Redirectors: the phantom menace
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 27 Jun 2010 23:45:11 +0300
Hello participants of Full-Disclosure!
Additional information for those who read my article (and who still didn't
they can do it) Redirectors: the phantom menace
In addition to previous 12 attacks via open redirectors this year I added
three new attacks (and soon would add more).
To before-mentioned attacks the redirectors also can be used:
- For conducting of XSS attacks via PDF files, which I wrote about in post
regarding Script Injection in Adobe Acrobat
- For conducting of DoS attacks on browsers via redirection to mailto: URL,
which I wrote about in post DoS in Firefox, Internet Explorer, Chrome, Opera
and other browsers (http://websecurity.com.ua/4206/). This concerns both
open redirectors and closed redirectors
- For bypassing of restrictions on URL at HTML Injection attacks,
particularly Link Injection. As in case of vulnerability at news.yahoo.com
(http://websecurity.com.ua/3723/). In contrast to bypass of protection
filters at using of closed redirectors (attack #10), in this case not
external redirector is using, but internal one (at this site, or at the site
from allowed list).
Best wishes & regards,
Administrator of Websecurity web site
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Redirectors: the phantom menace MustLive (Jun 27)