Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
browser protocol hacks
Posted by: clayfox
Date: August 14, 2009 12:50PM

I was inspired by http://sla.ckers.org/forum/read.php?2,29547,29656#msg-29656 so I figured I would see if other "browser protocols" have exploitable pieces.

I am posting here at the start of the idea. I would like to gather a list of the "browser protocols" out there and then test them for XSS, click-jacking, and CSRF attacks.

I have started testing Firefox and Chrome.

Firefox:
--------
about:
about:blank
about:buildconfig
about:cache
about:config (would be good for click-jacking/csrf)
about:crashes
about:credits
about:logo
about:kitchensink
about:license
about:mozilla
about:plugins
about:robots

Chrome:
-------
about:
about:version
about:plugins
about:cache (puts urls in html ... persistent xss anyone?)
about:memory
about:stats
about:histograms
about:dns (only domains ... <script> subdomain?)
about:network
about:crash
about:hang
about:internets

chrome has other "browser protocols" like chrome://history/

This is kind of a brain-dump for now.

-clayfox

Options: ReplyQuote
Re: browser protocol hacks
Posted by: Anonymous User
Date: August 14, 2009 02:00PM

Here's some more info:

http://en.wikipedia.org/wiki/About:_URI_scheme#Common_about:_addresses
https://developer.mozilla.org/en/URIScheme
http://mxr.mozilla.org/seamonkey/source/docshell/build/nsDocShellModule.cpp#138

Options: ReplyQuote
Re: browser protocol hacks
Posted by: rvdh
Date: August 15, 2009 06:56AM

Here's my list:


CREATE TABLE `about` (
  `id` int(11) NOT NULL auto_increment,
  `name` varchar(255) NOT NULL default '',
  `arg` varchar(20) NOT NULL default '',
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=37 DEFAULT CHARSET=latin1 AUTO_INCREMENT=37 ;

-- 
-- Dumping data for table `about`
-- 

INSERT INTO `about` VALUES (1, 'about:', 'mozilla');
INSERT INTO `about` VALUES (2, 'about:plugins', 'mozilla');
INSERT INTO `about` VALUES (3, 'about:cache', 'mozilla');
INSERT INTO `about` VALUES (4, 'about:blank', 'mozilla');
INSERT INTO `about` VALUES (5, 'about:mozilla', 'mozilla');
INSERT INTO `about` VALUES (6, 'about:logo', 'mozilla');
INSERT INTO `about` VALUES (7, 'about:licence', 'mozilla');
INSERT INTO `about` VALUES (8, 'about:credits', 'mozilla');
INSERT INTO `about` VALUES (9, 'about:bloat', 'mozilla');
INSERT INTO `about` VALUES (10, 'about:bloat?new', 'mozilla');
INSERT INTO `about` VALUES (11, 'about:bloat?clear', 'mozilla');
INSERT INTO `about` VALUES (12, 'about:neterror', 'mozilla');
INSERT INTO `about` VALUES (19, 'about:Tabs', 'msie');
INSERT INTO `about` VALUES (18, 'about:blank', 'msie');
INSERT INTO `about` VALUES (17, 'about:', 'msie');
INSERT INTO `about` VALUES (20, 'about:Home', 'msie');
INSERT INTO `about` VALUES (21, 'about:DesktopItemNavigationFailure', 'msie');
INSERT INTO `about` VALUES (22, 'about:NavigationCanceled', 'msie');
INSERT INTO `about` VALUES (23, 'about:NavigationFailure', 'msie');
INSERT INTO `about` VALUES (24, 'about:OfflineInformation', 'msie');
INSERT INTO `about` VALUES (25, 'about:PostNotCached', 'msie');
INSERT INTO `about` VALUES (26, 'about:SecurityRisk', 'msie');
INSERT INTO `about` VALUES (27, 'opera:blank', 'opera');
INSERT INTO `about` VALUES (28, 'opera:about', 'opera');
INSERT INTO `about` VALUES (29, 'about:opera', 'opera');
INSERT INTO `about` VALUES (30, 'opera:cache', 'opera');
INSERT INTO `about` VALUES (31, 'opera:config', 'opera');
INSERT INTO `about` VALUES (32, 'opera:drives', 'opera');
INSERT INTO `about` VALUES (33, 'opera:history', 'opera');
INSERT INTO `about` VALUES (34, 'opera:plugins', 'opera');
INSERT INTO `about` VALUES (35, 'opera:button', 'opera');
INSERT INTO `about` VALUES (36, 'opera:help', 'opera');

Options: ReplyQuote
Re: browser protocol hacks
Posted by: rvdh
Date: August 15, 2009 06:58AM

And here are some schemes to play with:

CREATE TABLE `schemes` (
  `id` int(11) NOT NULL auto_increment,
  `name` varchar(255) NOT NULL default '',
  `arg` varchar(20) NOT NULL default '',
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=86 DEFAULT CHARSET=latin1 AUTO_INCREMENT=86 ;

-- 
-- Dumping data for table `schemes`
-- 

INSERT INTO `schemes` VALUES (1, 'file:', '');
INSERT INTO `schemes` VALUES (2, 'resource:', '');
INSERT INTO `schemes` VALUES (3, 'res:', '');
INSERT INTO `schemes` VALUES (4, 'chrome:', '');
INSERT INTO `schemes` VALUES (5, 'wyciwyg:', '');
INSERT INTO `schemes` VALUES (6, 'wais:', '');
INSERT INTO `schemes` VALUES (7, 'pop:', '');
INSERT INTO `schemes` VALUES (8, 'shell:', '');
INSERT INTO `schemes` VALUES (9, 'news:', '');
INSERT INTO `schemes` VALUES (10, 'aim:', '');
INSERT INTO `schemes` VALUES (11, 'data:', '');
INSERT INTO `schemes` VALUES (12, 'gopher:', '');
INSERT INTO `schemes` VALUES (13, 'finger:', '');
INSERT INTO `schemes` VALUES (14, 'x-jsd:', '');
INSERT INTO `schemes` VALUES (15, 'mhtml:', '');
INSERT INTO `schemes` VALUES (16, 'ms-its:', '');
INSERT INTO `schemes` VALUES (17, 'mt:', '');
INSERT INTO `schemes` VALUES (18, 'its:', '');
INSERT INTO `schemes` VALUES (19, 'mk:@MSITStore:', '');
INSERT INTO `schemes` VALUES (20, 'about:', '');
INSERT INTO `schemes` VALUES (21, 'aim:', '');
INSERT INTO `schemes` VALUES (22, 'callto:', '');
INSERT INTO `schemes` VALUES (23, 'cvs:', '');
INSERT INTO `schemes` VALUES (24, 'ed2k:', '');
INSERT INTO `schemes` VALUES (25, 'feed:', '');
INSERT INTO `schemes` VALUES (26, 'fish:', '');
INSERT INTO `schemes` VALUES (27, 'gizmoproject:', '');
INSERT INTO `schemes` VALUES (28, 'iax2:', '');
INSERT INTO `schemes` VALUES (29, 'irc:', '');
INSERT INTO `schemes` VALUES (30, 'ircs:', '');
INSERT INTO `schemes` VALUES (31, 'lastfm:', '');
INSERT INTO `schemes` VALUES (32, 'ldaps:', '');
INSERT INTO `schemes` VALUES (33, 'magnet:', '');
INSERT INTO `schemes` VALUES (34, 'mms:', '');
INSERT INTO `schemes` VALUES (35, 'msnim:', '');
INSERT INTO `schemes` VALUES (36, 'nsfw:', '');
INSERT INTO `schemes` VALUES (37, 'psyc:', '');
INSERT INTO `schemes` VALUES (38, 'rsync:', '');
INSERT INTO `schemes` VALUES (39, 'secondlife:', '');
INSERT INTO `schemes` VALUES (40, 'skype:', '');
INSERT INTO `schemes` VALUES (41, 'ssh:', '');
INSERT INTO `schemes` VALUES (42, 'sftp:', '');
INSERT INTO `schemes` VALUES (43, 'smb:', '');
INSERT INTO `schemes` VALUES (44, 'sms:', '');
INSERT INTO `schemes` VALUES (45, 'soldat:', '');
INSERT INTO `schemes` VALUES (46, 'steam:', '');
INSERT INTO `schemes` VALUES (47, 'unreal:', '');
INSERT INTO `schemes` VALUES (48, 'ut2004:', '');
INSERT INTO `schemes` VALUES (49, 'xfire:', '');
INSERT INTO `schemes` VALUES (50, 'ymsgr:', '');
INSERT INTO `schemes` VALUES (51, 'aaa:', '');
INSERT INTO `schemes` VALUES (52, 'aaas:', '');
INSERT INTO `schemes` VALUES (53, 'acap:', '');
INSERT INTO `schemes` VALUES (54, 'cap:', '');
INSERT INTO `schemes` VALUES (55, 'cid:', '');
INSERT INTO `schemes` VALUES (56, 'crid:', '');
INSERT INTO `schemes` VALUES (57, 'data:', '');
INSERT INTO `schemes` VALUES (58, 'dav:', '');
INSERT INTO `schemes` VALUES (59, 'dict:', '');
INSERT INTO `schemes` VALUES (60, 'dns:', '');
INSERT INTO `schemes` VALUES (61, 'fax:', '');
INSERT INTO `schemes` VALUES (62, 'file:', '');
INSERT INTO `schemes` VALUES (63, 'ftp:', '');
INSERT INTO `schemes` VALUES (64, 'go:', '');
INSERT INTO `schemes` VALUES (65, 'gopher:', '');
INSERT INTO `schemes` VALUES (66, 'h323:', '');
INSERT INTO `schemes` VALUES (67, 'http:', '');
INSERT INTO `schemes` VALUES (68, 'https:', '');
INSERT INTO `schemes` VALUES (69, 'im:', '');
INSERT INTO `schemes` VALUES (70, 'imap:', '');
INSERT INTO `schemes` VALUES (71, 'ldap:', '');
INSERT INTO `schemes` VALUES (72, 'mailto:', '');
INSERT INTO `schemes` VALUES (73, 'mid:', '');
INSERT INTO `schemes` VALUES (74, 'nfs:', '');
INSERT INTO `schemes` VALUES (75, 'nntp:', '');
INSERT INTO `schemes` VALUES (76, 'pop:', '');
INSERT INTO `schemes` VALUES (77, 'pres:', '');
INSERT INTO `schemes` VALUES (78, 'sip:', '');
INSERT INTO `schemes` VALUES (79, 'sips:', '');
INSERT INTO `schemes` VALUES (80, 'snmp:', '');
INSERT INTO `schemes` VALUES (81, 'tel:', '');
INSERT INTO `schemes` VALUES (82, 'telnet:', '');
INSERT INTO `schemes` VALUES (83, 'urn:', '');
INSERT INTO `schemes` VALUES (84, 'wais:', '');
INSERT INTO `schemes` VALUES (85, 'xmpp:', '');

Options: ReplyQuote
Re: browser protocol hacks
Posted by: clayfox
Date: August 16, 2009 10:11PM

Wow! This should be fun. Looks like there is plenty to test. I'll report anything I find ... eventually.

-clayfox

Options: ReplyQuote
Re: browser protocol hacks
Posted by: timb
Date: December 05, 2009 11:50AM

You might want to take a look at KDEs IO slaves... some fun to be had there:

http://www.portcullis-security.com/329.php

Options: ReplyQuote


Sorry, only registered users may post in this forum.