Hi!

Maybe it's not really new but you guys might wanna check that out - I played a little bit with the data:-URL feature supported by FFox, Opera and IE7 (dunno if Safari does too). Does anyone else think that this is weird?

http://h4k.in/dataurl

Please tell me what you think!

Greetings,
.mario

http://www.gnucitizen.org/blog/self-contained-xss-attacks/

CrYpTiC_MauleR - the thing is not that data: URLs just work but that you are able to mix together almost arbitrary charsets - look at testcase 04. There you have UTF7, UTF8 and BASE64 together in one data: URL

My apologies didn't catch that at first glance.

Do you think maybe it just not obeying the charset specified.

I don't know - but when the link...

data:text/html;charset=utf-7,+ADwAcwBjAHIAaQBwAHQAPg+-alert(1);history.back()+ADs-</script>

...is called, UTF7 is given but UTF16/BASE64, UTF8 and UTF7 in combination are executed.

It doesn't really create new security holes but coming to filtering it really makes life harder. Any charset normalization (I know) and therefore intrusion detection would fail.

Greetings,
.mario



Edited 1 time(s). Last edit at 05/10/2007 04:36PM by .mario.

data: URLs obey the same rules as javascript: URLs - you can obfuscate just about anything, so that any sane sanitization policy will disallow this URL type altogether. I mean, look at these URLs:

javascript:'%3cscript%3ealert(1);%3c/script%3e'
javascript:'\x3cscript\x3ealert(1);\x3c/script\x3e'
javascript:atob('PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4=')
javascript:atob('\120HNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4=')

IDS can detect data: only way. Technically if someone is trying to use a data url they most likely will be up to no good. That assumption may change down the road as it starts to get used more.

I just reported the whitespace obfuscation - couldn't find it in the current bug list and seeing Opera 9+ strip out the whitespaces after ten of them made me think that this would be quite useful.

@trev: Didn't know the atob / btob issue. It's Gecko-only, right?

@CrYpTiC_MauleR: Yes - I guess so.

Yes, atob/btoa seems to be Gecko-only. Which doesn't change the fact that you can have just about any sort of obfuscation with JavaScript.

@trev: I agree :)

well that obfuscation doesn't matter I guess, if you detect vectors like 'javascript:' & '<script>' in the first place.