http://yahoo.com@sla.ckers.org

Anyone noticed this "feature" used few years ago to trick IE6 users? It's not the same thing and when I put mouse over a link like that the real address appear in status bar.

Any ideea if this "feature" can be fully exploited to make a working url spoof?

http://www.rstcenter.com - Romanian Security Team
Inchirieri limuzine



Edited 1 time(s). Last edit at 09/11/2008 07:55PM by nemessis.

I mucked around a bit with this and couldn't find anything.

Interestingly though when the following code is executed (onclick) Chrome appears to automatically close the alert box for you.

<iframe src="" id="c"></iframe>
<input type="button" onclick="document.getElementById('c').src='javascript:alert(1);';" value="iof"/>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 09/11/2008 11:42PM by digi7al64.

It has been widely exploited on Internet Explorer in the past by Me, Liu Die Yu, Georgi Guninski, Andreas Sandblad.

Now once the frame is loaded with a different domain, you cannot assign it with a javascript:/vbscript: url in Internet Explorer, Google Chrome and FireFox.

Microsoft also made a change that any frame redirecting from "http:*" "about:*" or "res:*" to javascript:/vbscript: will load in Internet Zone, so you cannot use it to execute/inject code into Local Zone frames anymore.

May be Google Chrome has some of the same old diseases :)

http://rafelivgi.blogspot.com
Aspect9 Founder & Chief Security Architect
------------------------------------------
My job is to assess not assassinate
You can spend your life reading what others write or you can spend your life writing for others to read, choose your destiny!