[Full-disclosure] MSIE7 entrapment again (+ FF tidbit)
- From: Michal Zalewski <lcamtuf@xxxxxxxxxxxx>
- Date: Sat, 14 Jul 2007 00:20:54 +0200 (CEST)
Microsoft Internet Explorer seems to have a soft spot for browser
entrapment vulnerabilities. Just to recap, in these attacks, the user is
made believe he had left a webpage (and the URL bar or SSL state data
reinforce him in this belief) - but in reality, is prevented from doing
so, and his browser continues to display assorted content originating from
This is a close, but somewhat more sinister relative of vanilla URL bar
spoofing. I reported a few of each kind in the recent months.
Well, here's another one, this time based on document.open() calls. In
essence, repeatedly calling this function after a new URL is entered by
the user, before onBeforeUnload is invoked, inhibits page transition - but
target URL bar state is retained. This is remarkably silly.
A live demo is available here:
That is all.
PS. The promised tidbit - since I'm leaving for a while and won't have
'domainless' cookies by specifying 'domain=.' - for example:
Fortunately/unfortunately, these cookies do not get sent to all sites - no
session fixation - though can be retrieved by other null-domain
periods will be trimmed. Path can be set arbitrarily, with certain
exceptions. Null-domain cookies load properly when stored in cookies.txt.
Q: can this be used in a manner more sinister than merely facilitating
exchange of "markers" between various user-tracking sites?
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: Re: [Full-disclosure] Youtube.com flagged video age verification bypass. Take 2
- Next by Date: Re: [Full-disclosure] PIRS2007 local buffer overflow vulnerability
- Previous by thread: [Full-disclosure] White Paper - Chrooting sshd
- Next by thread: [Full-disclosure] Opera/Konqueror: data: URL scheme address bar spoofing