Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Spoofing Address Bar in Firefox/Opera
Posted by: maluc
Date: December 21, 2006 04:16AM

PoC here: http://maluc.sitesled.com/address_spoof.html /address_spoof.html
Phish Page to spoof: http://maluc.sitesled.com/fakehotmail.html /fakehotmail.html

In firefox, even though we're still on the sitesled domain.. the address should show :
data:text/html,http:/login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=1033

It's not perfect, but it's still a concern. Since 95% of users have never heard of the data: directive, it has an 'unsecurity through obscurity' advantage. In Opera 9 (opera 8 is not really vulnerable), data: directive addresses get displayed justified right for some reason beyond me.. so everything is right-aligned. Easier to see what i mean by screenshot:




The machine behind the magic is quite simple, a data:text/html page starting with the address to spoof, followed by lots of whitespaces, then the phish pages html, then a bunch more whitespaces, and ending with the same address to spoof:
data:text/html,http:/bankofamerica.com/login.asp                                                                                       
                             <html><body><div style='color:red'>This is a spoofed page.</div></body></html>                                                                                      
                                                          http:/bankofamerica.com/login.asp

For my PoC, i chose to use an iframe to fakehotmail.html, rather than putting the whole html code in the link.. but either method works. that directive is loaded with a simple meta tag, no javascript required:
<meta http-equiv="refresh" content="0;url=data:text/html,blah">

as for a solution, this is inherent to how data: directives work, so i don't see an easy solution short of pulling all support for data: .. maybe a warning popup if the data starts with http:// could help prevent abuse. Also, Opera should really keep it left aligned like everything else.

-maluc

Options: ReplyQuote
Re: Spoofing Address Bar in Firefox/Opera
Posted by: jungsonn
Date: December 21, 2006 06:17AM

Nice find maluc! i did not know the exsistence of the data: directive, pretty strange feature.

The red google horns are cool also :))

Options: ReplyQuote
Re: Spoofing Address Bar in Firefox/Opera
Posted by: WhiteAcid
Date: December 21, 2006 07:35AM

Great find. I was a bit confused when I got a 404 error until I saw you had the iframes src set to http://localhost/fakehotmail.html. I wonder when I'll see data directives in my spam email.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Spoofing Address Bar in Firefox/Opera
Posted by: maluc
Date: December 21, 2006 10:24AM

oops.. i do that alot ^^. thanks for letting me know, fixed

-maluc

Options: ReplyQuote
Re: Spoofing Address Bar in Firefox/Opera
Posted by: jungsonn
Date: December 21, 2006 10:33AM

Quote

I wonder when I'll see data directives in my spam email

Yeah bright remark, shouldn't take long :)

Options: ReplyQuote


Sorry, only registered users may post in this forum.