Re: [Full-disclosure] Opera/Konqueror: data: URL scheme address bar spoofing

Hi Robert, it works for me on Opera 9.21 (8776) WXP SP2.
I was trying to do the same with firefox and it seems to works too..
but you get the "data:text/html"; on the beginning of the URL.

here you have a PoC for FF, it works on a 2.0.0.4 version
http://www.rzw.com.ar/ff_URL_spoofing.html


On 7/14/07, Martin Aberastegue <xyborg@xxxxxxxxx> wrote:
Hi Robert, it works for me on Opera 9.21 (8776) WXP SP2.
I was trying to do the same with firefox and it seems to works too..
but you get the "data:text/html"; on the beginning of the URL.

here you have a PoC for FF, it works on a 2.0.0.4 version
http://www.rzw.com.ar/ff_URL_spoofing.html


On 7/13/07, Robert Swiecki <jagger@xxxxxxxxxxx> wrote:
With a specially crafted web page, an attacker can redirect
a www browser to the page, which URL (in the url bar) resembles
an arbitrary domain choosen by the attacker.

It's possible due to the fact, that some web browsers incorrectly
display contents of the url bar while rendering pages based on the
'data:' URL scheme (RFC 2397). Only the ending of the URL is
displayed. Padding the URL with whitespaces allows an attacker to
insert an arbitrary content into the browser url bar.

http://alt.swiecki.net/oper1.html

Tested with:
* Opera 9.21 on Win 2003SE and Win XPSP2
* Opera 9.21 on Linux
* Konqueror 3.5.7 on Linux

Pictures taken on my systems (using 1024x768 dekstop resolution)
http://alt.swiecki.net/operalin.png
http://alt.swiecki.net/operawin.png
http://alt.swiecki.net/konq.png

Successfull attack depends on the proper construction of the
'data:' URL. An algorithm could utilize JS
document.body.clientWidth/Height properties to calculate the
best url padding for the given browser.

PS. Sometimes Opera web browser displays the beggining of
the 'data:' URL (correct behaviour), e.g. during
browser startup with immediate redirect to the last visited page.

--
Robert Swiecki

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



--
Martin Aberastegue
http://www.rzw.com.ar



--
Martin Aberastegue
http://www.rzw.com.ar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: browser suggestions
    ... baseball, & i use their email client for all baseball related issues. ... up & can't even access them all on firefox. ... browser cannot access my bank site either. ... another one unless they are worse than opera. ...
    (microsoft.public.windowsxp.basics)
  • Re: browser suggestions
    ... baseball, & i use their email client for all baseball related issues. ... up & can't even access them all on firefox. ... another one unless they are worse than opera. ... people to recommend a browser. ...
    (microsoft.public.windowsxp.basics)
  • Re: browser suggestions
    ... baseball, & i use their email client for all baseball related issues. ... up & can't even access them all on firefox. ... another one unless they are worse than opera. ... people to recommend a browser. ...
    (microsoft.public.windowsxp.basics)
  • Re: Auto Fill - I think
    ... ie, opera, firefox & maxthon. ... Each browser configuration is different. ...
    (microsoft.public.windowsxp.basics)
  • Re: IE launching when Firefox is default browser
    ... After making FireFox my default ... went to the Links folder on my ... default browser via the Control Panel>Add/Remove Programs>Set Program Access ... Replies are posted only to the newsgroup for the benefit or other readers. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
Loading