I've never had this happen before until someone on a forum tryed to put a BR tag in a URL.

opera:illegal-url-## -- The ## refers to how many times it has occured since the current opera session started. Probably because it shows the URL in the error and it uses the ## to pull from memory which one it is.

Quote

The URL http://<br /> contains characters that are not valid in the location they are found.
The reason for their presence may be a mistyped URL, but the URL may also be an attempt to trick you into visiting a website which you might mistakenly think is a site you trust.

I'm suprised with all the XSS I have been playing around with that I have not noticed this before. But it's nice to see that Opera has some features in place.

- Kyran

Which version of Opera are you using? I haven't seen that? Also do you see it when you type in stuff like http://ha.ckers.org/log.cgi?<script>alert('XSS')</script> (it won't work but the browser shouldn't know that up front).

- RSnake
Gotta love it. http://ha.ckers.org

Opera 9. No, I don't see it for encoded URLs.
But it's still nice to know there are at least thoughts about XSS behind Operas doors.

- Kyran

That is nice... I'm surprised they didn't do it for URL encoding too... seems like a big hole, but you're right, it's the first thing like it that I've seen. I wonder how robust it is... it would be interesting to look at their signature library.

- RSnake
Gotta love it. http://ha.ckers.org

I'm going to write a post on the Opera Community forum later tonight regarding encoding. Let's hope we will see it in 9.1

EDIT: Posted.

- Kyran



Edited 1 time(s). Last edit at 09/21/2006 07:19PM by Kyran.

Where did you post it? I'd like to track that thread.

- RSnake
Gotta love it. http://ha.ckers.org

[my.opera.com]

I just sort of threw the post together, but they get the idea. Only 1 view so far.


Probably mine.

- Kyran

Ahhhh... I see what you are seeing now... this isn't a security measure, they really can't figure out what you mean. There's no additional security here, although this probably still deserves a post because it is an interesting idea.

- RSnake
Gotta love it. http://ha.ckers.org

Yeah, in the Opera forum post I said it probably wasn't really meant as a security feature initially. But it's a good direction to take it.

- Kyran

Now that I've seen it for myself I agree - it's just some weirdness, but I did post about it because it seems like a good idea: http://ha.ckers.org/blog/20060921/opera-weirdness-might-be-a-good-idea-for-xss-prevention/

- RSnake
Gotta love it. http://ha.ckers.org

Neato. First post based off one of my thoughts.

At any rate, perhaps I should post about this on a firefox community board as well. They seem to update faster, regardless of the update size and take suggestions from the community more often. What do you think?

- Kyran

It's risky to implement and it's sure to break lots of stuff, and it will only prevent against reflected XSS but it's certainly worth proposing.

- RSnake
Gotta love it. http://ha.ckers.org

Ah, yes. But reflected XSS attacks are a dime a dozen. As the "So it begins" thread shows. If we can stop those, XSS might not be as common. Just as interesting and dangerous, but less common.

- Kyran

I had to help out - I don't think they were "getting it". http://forums.mozillazine.org/viewtopic.php?p=2502187#2502187

- RSnake
Gotta love it. http://ha.ckers.org

Thanks for that. Check the post times, it was around 1AM. :P

Nothing happening on http://my.opera.com/community/forums/topic.dml?id=159282

- Kyran

I've been reading many white papers regarding XSS lately. All of them seem to say things like, "the user must rely solely on web developers". But with my idea, the browser community should have a hand in it...but..the forum results aren't too promising. I might have to make a few e-mails to the actual developers soon.

- Kyran

Good luck... I've had only moderate success in getting people to understand how browsers can have an effect on this. Clearly the people on those boards don't get it. That's unfortunate.

- RSnake
Gotta love it. http://ha.ckers.org