[Full-disclosure] Opera/Konqueror: data: URL scheme address bar spoofing



With a specially crafted web page, an attacker can redirect
a www browser to the page, which URL (in the url bar) resembles
an arbitrary domain choosen by the attacker.

It's possible due to the fact, that some web browsers incorrectly
display contents of the url bar while rendering pages based on the
'data:' URL scheme (RFC 2397). Only the ending of the URL is
displayed. Padding the URL with whitespaces allows an attacker to
insert an arbitrary content into the browser url bar.

http://alt.swiecki.net/oper1.html

Tested with:
* Opera 9.21 on Win 2003SE and Win XPSP2
* Opera 9.21 on Linux
* Konqueror 3.5.7 on Linux

Pictures taken on my systems (using 1024x768 dekstop resolution)
http://alt.swiecki.net/operalin.png
http://alt.swiecki.net/operawin.png
http://alt.swiecki.net/konq.png

Successfull attack depends on the proper construction of the
'data:' URL. An algorithm could utilize JS
document.body.clientWidth/Height properties to calculate the
best url padding for the given browser.

PS. Sometimes Opera web browser displays the beggining of
the 'data:' URL (correct behaviour), e.g. during
browser startup with immediate redirect to the last visited page.

--
Robert Swiecki

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Opera/Konqueror: data: URL scheme address bar spoofing
    ... With a specially crafted web page, an attacker can redirect ... display contents of the url bar while rendering pages based on the ... insert an arbitrary content into the browser url bar. ... browser startup with immediate redirect to the last visited page. ...
    (Bugtraq)
  • RE: Link from corporate site to internal corp. network
    ... By hijacking any Web browser located on your internal network, an attacker ... Moving beyond a single server ... If the client in use is Microsoft Internet Explorer, ...
    (Security-Basics)
  • Re: [Full-disclosure] Cross Domain XMLHttpRequest
    ... As much as I loathe the origin-based security model of modern web ... there are semi-valid reasons why XMLHttpRequest is restricted ... A remote attacker can interact with much of the Internet on its own. ... you do not want your browser to roam the Internet on ...
    (Full-Disclosure)
  • Re: Session Hijacking over HTTP
    ... IMHO when attacker controls HTTP flow it can read and modify all data ... customization and addons for browser so the user can not bypass SSL ... HTTP after authentication. ... WHat is the best way to protect session cookies from hijacking esp. ...
    (Pen-Test)
  • Re: How to completely destroy a script and make it disappear forever.
    ... An attacker can use a local proxy to talk to your server ... over SSL, and have plain HTTP traffic between the browser and the proxy. ...
    (comp.lang.javascript)