Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
hotmail url obfuscation
Posted by: gamma
Date: December 25, 2006 04:42PM

i'm trying to obfuscate the specially crafted url that i'm sending to a hotmail user. It seems hotmail automatically reverses hex characters to ASCII. I tried fooling the system by hexing the values twice, with no luck. Anyway, what's the best way to obfuscate a url that i'm sending to a hotmail user?

Thanks :)

Options: ReplyQuote
Re: hotmail url obfuscation
Posted by: kuza55
Date: December 25, 2006 05:52PM

The easiest method is to just use something like tinyurl.com to redirect the user to your non-obfuscated URL.

Or if you're trying to conduct an XSS attack, then the best method would be to simply host a site with some content on it, and then have an invisible iframe to force the user to visit your attack URL.

Options: ReplyQuote
Re: hotmail url obfuscation
Posted by: jungsonn
Date: December 25, 2006 06:20PM

Or just make a page with a frameset/iframe at max size, load horrormail into it.

Options: ReplyQuote
Re: hotmail url obfuscation
Posted by: gamma
Date: December 26, 2006 03:49AM

thank you all ; btw, sorry for posting this in the inappropriate category. (should be in XSS)

:)

Options: ReplyQuote
Re: hotmail url obfuscation
Date: December 28, 2006 09:01PM

There's also plenty of exploits on other websites that can make them do the redirection for you. http://sla.ckers.org/forum/read.php?3,505

Options: ReplyQuote
Re: hotmail url obfuscation
Posted by: jungsonn
Date: December 29, 2006 04:56AM

Quote

It seems hotmail automatically reverses hex characters to ASCII.

In which browser do you test this? FireFox uses Canonicalization for hexed URI's maybe MSIE also.

Options: ReplyQuote


Sorry, only registered users may post in this forum.