Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Opera Illegal URL
Posted by: Kyran
Date: September 21, 2006 02:38AM

I've never had this happen before until someone on a forum tryed to put a BR tag in a URL.

opera:illegal-url-## -- The ## refers to how many times it has occured since the current opera session started. Probably because it shows the URL in the error and it uses the ## to pull from memory which one it is.

Quote

The URL http://<br /> contains characters that are not valid in the location they are found.
The reason for their presence may be a mistyped URL, but the URL may also be an attempt to trick you into visiting a website which you might mistakenly think is a site you trust.

I'm suprised with all the XSS I have been playing around with that I have not noticed this before. But it's nice to see that Opera has some features in place.

- Kyran

Options: ReplyQuote
Re: Opera Illegal URL
Posted by: rsnake
Date: September 21, 2006 10:35AM

Which version of Opera are you using? I haven't seen that? Also do you see it when you type in stuff like http://ha.ckers.org/log.cgi?<script>alert('XSS')</script> (it won't work but the browser shouldn't know that up front).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Opera Illegal URL
Posted by: Kyran
Date: September 21, 2006 11:33AM

Opera 9. No, I don't see it for encoded URLs.
But it's still nice to know there are at least thoughts about XSS behind Operas doors.

- Kyran

Options: ReplyQuote
Re: Opera Illegal URL
Posted by: rsnake
Date: September 21, 2006 06:03PM

That is nice... I'm surprised they didn't do it for URL encoding too... seems like a big hole, but you're right, it's the first thing like it that I've seen. I wonder how robust it is... it would be interesting to look at their signature library.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Opera Illegal URL
Posted by: Kyran
Date: September 21, 2006 06:35PM

I'm going to write a post on the Opera Community forum later tonight regarding encoding. Let's hope we will see it in 9.1

EDIT: Posted.

- Kyran



Edited 1 time(s). Last edit at 09/21/2006 07:19PM by Kyran.

Options: ReplyQuote
Re: Opera Illegal URL
Posted by: rsnake
Date: September 21, 2006 07:47PM

Where did you post it? I'd like to track that thread.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Opera Illegal URL
Posted by: Kyran
Date: September 21, 2006 07:51PM

[my.opera.com]

I just sort of threw the post together, but they get the idea. Only 1 view so far.


Probably mine.

- Kyran

Options: ReplyQuote
Re: Opera Illegal URL
Posted by: rsnake
Date: September 21, 2006 09:20PM

Ahhhh... I see what you are seeing now... this isn't a security measure, they really can't figure out what you mean. There's no additional security here, although this probably still deserves a post because it is an interesting idea.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Opera Illegal URL
Posted by: Kyran
Date: September 21, 2006 09:27PM

Yeah, in the Opera forum post I said it probably wasn't really meant as a security feature initially. But it's a good direction to take it.

- Kyran

Options: ReplyQuote
Re: Opera Illegal URL
Posted by: rsnake
Date: September 21, 2006 09:32PM

Now that I've seen it for myself I agree - it's just some weirdness, but I did post about it because it seems like a good idea: http://ha.ckers.org/blog/20060921/opera-weirdness-might-be-a-good-idea-for-xss-prevention/

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Opera Illegal URL
Posted by: Kyran
Date: September 21, 2006 09:41PM

Neato. First post based off one of my thoughts.

At any rate, perhaps I should post about this on a firefox community board as well. They seem to update faster, regardless of the update size and take suggestions from the community more often. What do you think?

- Kyran

Options: ReplyQuote
Re: Opera Illegal URL
Posted by: rsnake
Date: September 21, 2006 10:27PM

It's risky to implement and it's sure to break lots of stuff, and it will only prevent against reflected XSS but it's certainly worth proposing.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Opera Illegal URL
Posted by: Kyran
Date: September 21, 2006 10:32PM

Ah, yes. But reflected XSS attacks are a dime a dozen. As the "So it begins" thread shows. If we can stop those, XSS might not be as common. Just as interesting and dangerous, but less common.

- Kyran

Options: ReplyQuote
Re: Opera Illegal URL
Posted by: rsnake
Date: September 22, 2006 11:46AM

I had to help out - I don't think they were "getting it". http://forums.mozillazine.org/viewtopic.php?p=2502187#2502187

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Opera Illegal URL
Posted by: Kyran
Date: September 22, 2006 12:43PM

Thanks for that. Check the post times, it was around 1AM. :P

Nothing happening on http://my.opera.com/community/forums/topic.dml?id=159282

- Kyran

Options: ReplyQuote
Re: Opera Illegal URL
Posted by: Kyran
Date: September 24, 2006 07:24PM

I've been reading many white papers regarding XSS lately. All of them seem to say things like, "the user must rely solely on web developers". But with my idea, the browser community should have a hand in it...but..the forum results aren't too promising. I might have to make a few e-mails to the actual developers soon.

- Kyran

Options: ReplyQuote
Re: Opera Illegal URL
Posted by: rsnake
Date: September 24, 2006 09:16PM

Good luck... I've had only moderate success in getting people to understand how browsers can have an effect on this. Clearly the people on those boards don't get it. That's unfortunate.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.