Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
data: URL madness
Posted by: Anonymous User
Date: May 10, 2007 03:54PM

Hi!

Maybe it's not really new but you guys might wanna check that out - I played a little bit with the data:-URL feature supported by FFox, Opera and IE7 (dunno if Safari does too). Does anyone else think that this is weird?

http://h4k.in/dataurl

Please tell me what you think!

Greetings,
.mario

Options: ReplyQuote
Re: data: URL madness
Date: May 10, 2007 04:01PM

http://www.gnucitizen.org/blog/self-contained-xss-attacks/

Options: ReplyQuote
Re: data: URL madness
Posted by: Anonymous User
Date: May 10, 2007 04:08PM

CrYpTiC_MauleR - the thing is not that data: URLs just work but that you are able to mix together almost arbitrary charsets - look at testcase 04. There you have UTF7, UTF8 and BASE64 together in one data: URL

Options: ReplyQuote
Re: data: URL madness
Date: May 10, 2007 04:27PM

My apologies didn't catch that at first glance.

Do you think maybe it just not obeying the charset specified.

Options: ReplyQuote
Re: data: URL madness
Posted by: Anonymous User
Date: May 10, 2007 04:34PM

I don't know - but when the link...

data:text/html;charset=utf-7,+ADwAcwBjAHIAaQBwAHQAPg+-alert(1);history.back()+ADs-</script>

...is called, UTF7 is given but UTF16/BASE64, UTF8 and UTF7 in combination are executed.

It doesn't really create new security holes but coming to filtering it really makes life harder. Any charset normalization (I know) and therefore intrusion detection would fail.

Greetings,
.mario



Edited 1 time(s). Last edit at 05/10/2007 04:36PM by .mario.

Options: ReplyQuote
Re: data: URL madness
Posted by: trev
Date: May 10, 2007 05:14PM

data: URLs obey the same rules as javascript: URLs - you can obfuscate just about anything, so that any sane sanitization policy will disallow this URL type altogether. I mean, look at these URLs:

javascript:'%3cscript%3ealert(1);%3c/script%3e'
javascript:'\x3cscript\x3ealert(1);\x3c/script\x3e'
javascript:atob('PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4=')
javascript:atob('\120HNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4=')

Options: ReplyQuote
Re: data: URL madness
Date: May 10, 2007 06:12PM

IDS can detect data: only way. Technically if someone is trying to use a data url they most likely will be up to no good. That assumption may change down the road as it starts to get used more.

Options: ReplyQuote
Re: data: URL madness
Posted by: Anonymous User
Date: May 11, 2007 03:09AM

I just reported the whitespace obfuscation - couldn't find it in the current bug list and seeing Opera 9+ strip out the whitespaces after ten of them made me think that this would be quite useful.

@trev: Didn't know the atob / btob issue. It's Gecko-only, right?

@CrYpTiC_MauleR: Yes - I guess so.

Options: ReplyQuote
Re: data: URL madness
Posted by: trev
Date: May 11, 2007 09:49AM

Yes, atob/btoa seems to be Gecko-only. Which doesn't change the fact that you can have just about any sort of obfuscation with JavaScript.

Options: ReplyQuote
Re: data: URL madness
Posted by: Anonymous User
Date: May 11, 2007 09:56AM

@trev: I agree :)

Options: ReplyQuote
Re: data: URL madness
Posted by: Anonymous User
Date: May 12, 2007 03:44PM

well that obfuscation doesn't matter I guess, if you detect vectors like 'javascript:' & '<script>' in the first place.

Options: ReplyQuote


Sorry, only registered users may post in this forum.