Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
internet explorer madness
Posted by: Albino
Date: April 11, 2012 02:02PM

I have a page that loads a third party stylesheet and alert()'s some info from it. For some reason it only works if I open it locally; hosting the page anywhere breaks it.

Here's the code:

<html>
<head>
<link rel="stylesheet" href="https://SNIP" type="text/css">
</head>
<body>
<script>
alert(document.body.currentStyle.fontFamily);
</script>
</body>
</html>

I've looked at the HTTP requests in burp and they appear to be identical, except that the local one is missing the Referer header since it's cross-protocol.

I've tried changing the doctype & turning quirks mode on and off to to avail. Any ideas?

-------------------------------------------------------
Research blog

Options: ReplyQuote
Re: internet explorer madness
Posted by: Anonymous User
Date: April 11, 2012 03:09PM

When you say host it anywhere breaks it, Im assuming you mean on the net.

I spun up IIS and atleast using my local IP, I am still able to fire off the alert.

Options: ReplyQuote
Re: internet explorer madness
Posted by: infinity
Date: April 11, 2012 03:48PM

Which version of the internet explorer are you using?

I have uploaded an HTML page with your code, using the stylesheet from my website, on a completely different domain on a different IP address. And I have the same page on my local Apache, using the same stylesheet from the web. The third possibility is to open the file locally.

All three possibilities seem to work with Internet Explorer 9, but I had to confirm something about the intranet configuration when requesting the file from the localhost Apache.

No problem with Internet Explorer 5.5 and 6, but I can't get any of the three possibilities to work with IE 7. These older versions are not running stable on my system and tabs crash frequently.

Apparently it does not work with the current Firefox and an older Version of K-Meleon, but all versions (local as file, local on my Apache and hosted on a domain) work with Opera 11.62.

One difference to your example is that my stylesheet is not requested through https, but ordinary http. So I have changed the test page to use a stylesheet from an https site. But still all three possibilities work in IE9 and the current version of Opera.

I hope that this information helps. :-)

Options: ReplyQuote
Re: internet explorer madness
Posted by: Albino
Date: April 23, 2012 07:24AM

Seems like it's related to security zones; the poc only works if it's in the trusted/local security zone. Ah well.

-------------------------------------------------------
Research blog

Options: ReplyQuote


Sorry, only registered users may post in this forum.