I was inspired by http://sla.ckers.org/forum/read.php?2,29547,29656#msg-29656 so I figured I would see if other "browser protocols" have exploitable pieces.

I am posting here at the start of the idea. I would like to gather a list of the "browser protocols" out there and then test them for XSS, click-jacking, and CSRF attacks.

I have started testing Firefox and Chrome.

Firefox:
--------
about:
about:blank
about:buildconfig
about:cache
about:config (would be good for click-jacking/csrf)
about:crashes
about:credits
about:logo
about:kitchensink
about:license
about:mozilla
about:plugins
about:robots

Chrome:
-------
about:
about:version
about:plugins
about:cache (puts urls in html ... persistent xss anyone?)
about:memory
about:stats
about:histograms
about:dns (only domains ... <script> subdomain?)
about:network
about:crash
about:hang
about:internets

chrome has other "browser protocols" like chrome://history/

This is kind of a brain-dump for now.

-clayfox

Here's some more info:

http://en.wikipedia.org/wiki/About:_URI_scheme#Common_about:_addresses
https://developer.mozilla.org/en/URIScheme
http://mxr.mozilla.org/seamonkey/source/docshell/build/nsDocShellModule.cpp#138

Here's my list:

CREATE TABLE `about` (
  `id` int(11) NOT NULL auto_increment,
  `name` varchar(255) NOT NULL default '',
  `arg` varchar(20) NOT NULL default '',
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=37 DEFAULT CHARSET=latin1 AUTO_INCREMENT=37 ;

-- 
-- Dumping data for table `about`
-- 

INSERT INTO `about` VALUES (1, 'about:', 'mozilla');
INSERT INTO `about` VALUES (2, 'about:plugins', 'mozilla');
INSERT INTO `about` VALUES (3, 'about:cache', 'mozilla');
INSERT INTO `about` VALUES (4, 'about:blank', 'mozilla');
INSERT INTO `about` VALUES (5, 'about:mozilla', 'mozilla');
INSERT INTO `about` VALUES (6, 'about:logo', 'mozilla');
INSERT INTO `about` VALUES (7, 'about:licence', 'mozilla');
INSERT INTO `about` VALUES (8, 'about:credits', 'mozilla');
INSERT INTO `about` VALUES (9, 'about:bloat', 'mozilla');
INSERT INTO `about` VALUES (10, 'about:bloat?new', 'mozilla');
INSERT INTO `about` VALUES (11, 'about:bloat?clear', 'mozilla');
INSERT INTO `about` VALUES (12, 'about:neterror', 'mozilla');
INSERT INTO `about` VALUES (19, 'about:Tabs', 'msie');
INSERT INTO `about` VALUES (18, 'about:blank', 'msie');
INSERT INTO `about` VALUES (17, 'about:', 'msie');
INSERT INTO `about` VALUES (20, 'about:Home', 'msie');
INSERT INTO `about` VALUES (21, 'about:DesktopItemNavigationFailure', 'msie');
INSERT INTO `about` VALUES (22, 'about:NavigationCanceled', 'msie');
INSERT INTO `about` VALUES (23, 'about:NavigationFailure', 'msie');
INSERT INTO `about` VALUES (24, 'about:OfflineInformation', 'msie');
INSERT INTO `about` VALUES (25, 'about:PostNotCached', 'msie');
INSERT INTO `about` VALUES (26, 'about:SecurityRisk', 'msie');
INSERT INTO `about` VALUES (27, 'opera:blank', 'opera');
INSERT INTO `about` VALUES (28, 'opera:about', 'opera');
INSERT INTO `about` VALUES (29, 'about:opera', 'opera');
INSERT INTO `about` VALUES (30, 'opera:cache', 'opera');
INSERT INTO `about` VALUES (31, 'opera:config', 'opera');
INSERT INTO `about` VALUES (32, 'opera:drives', 'opera');
INSERT INTO `about` VALUES (33, 'opera:history', 'opera');
INSERT INTO `about` VALUES (34, 'opera:plugins', 'opera');
INSERT INTO `about` VALUES (35, 'opera:button', 'opera');
INSERT INTO `about` VALUES (36, 'opera:help', 'opera');

And here are some schemes to play with:

CREATE TABLE `schemes` (
  `id` int(11) NOT NULL auto_increment,
  `name` varchar(255) NOT NULL default '',
  `arg` varchar(20) NOT NULL default '',
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=86 DEFAULT CHARSET=latin1 AUTO_INCREMENT=86 ;

-- 
-- Dumping data for table `schemes`
-- 

INSERT INTO `schemes` VALUES (1, 'file:', '');
INSERT INTO `schemes` VALUES (2, 'resource:', '');
INSERT INTO `schemes` VALUES (3, 'res:', '');
INSERT INTO `schemes` VALUES (4, 'chrome:', '');
INSERT INTO `schemes` VALUES (5, 'wyciwyg:', '');
INSERT INTO `schemes` VALUES (6, 'wais:', '');
INSERT INTO `schemes` VALUES (7, 'pop:', '');
INSERT INTO `schemes` VALUES (8, 'shell:', '');
INSERT INTO `schemes` VALUES (9, 'news:', '');
INSERT INTO `schemes` VALUES (10, 'aim:', '');
INSERT INTO `schemes` VALUES (11, 'data:', '');
INSERT INTO `schemes` VALUES (12, 'gopher:', '');
INSERT INTO `schemes` VALUES (13, 'finger:', '');
INSERT INTO `schemes` VALUES (14, 'x-jsd:', '');
INSERT INTO `schemes` VALUES (15, 'mhtml:', '');
INSERT INTO `schemes` VALUES (16, 'ms-its:', '');
INSERT INTO `schemes` VALUES (17, 'mt:', '');
INSERT INTO `schemes` VALUES (18, 'its:', '');
INSERT INTO `schemes` VALUES (19, 'mk:@MSITStore:', '');
INSERT INTO `schemes` VALUES (20, 'about:', '');
INSERT INTO `schemes` VALUES (21, 'aim:', '');
INSERT INTO `schemes` VALUES (22, 'callto:', '');
INSERT INTO `schemes` VALUES (23, 'cvs:', '');
INSERT INTO `schemes` VALUES (24, 'ed2k:', '');
INSERT INTO `schemes` VALUES (25, 'feed:', '');
INSERT INTO `schemes` VALUES (26, 'fish:', '');
INSERT INTO `schemes` VALUES (27, 'gizmoproject:', '');
INSERT INTO `schemes` VALUES (28, 'iax2:', '');
INSERT INTO `schemes` VALUES (29, 'irc:', '');
INSERT INTO `schemes` VALUES (30, 'ircs:', '');
INSERT INTO `schemes` VALUES (31, 'lastfm:', '');
INSERT INTO `schemes` VALUES (32, 'ldaps:', '');
INSERT INTO `schemes` VALUES (33, 'magnet:', '');
INSERT INTO `schemes` VALUES (34, 'mms:', '');
INSERT INTO `schemes` VALUES (35, 'msnim:', '');
INSERT INTO `schemes` VALUES (36, 'nsfw:', '');
INSERT INTO `schemes` VALUES (37, 'psyc:', '');
INSERT INTO `schemes` VALUES (38, 'rsync:', '');
INSERT INTO `schemes` VALUES (39, 'secondlife:', '');
INSERT INTO `schemes` VALUES (40, 'skype:', '');
INSERT INTO `schemes` VALUES (41, 'ssh:', '');
INSERT INTO `schemes` VALUES (42, 'sftp:', '');
INSERT INTO `schemes` VALUES (43, 'smb:', '');
INSERT INTO `schemes` VALUES (44, 'sms:', '');
INSERT INTO `schemes` VALUES (45, 'soldat:', '');
INSERT INTO `schemes` VALUES (46, 'steam:', '');
INSERT INTO `schemes` VALUES (47, 'unreal:', '');
INSERT INTO `schemes` VALUES (48, 'ut2004:', '');
INSERT INTO `schemes` VALUES (49, 'xfire:', '');
INSERT INTO `schemes` VALUES (50, 'ymsgr:', '');
INSERT INTO `schemes` VALUES (51, 'aaa:', '');
INSERT INTO `schemes` VALUES (52, 'aaas:', '');
INSERT INTO `schemes` VALUES (53, 'acap:', '');
INSERT INTO `schemes` VALUES (54, 'cap:', '');
INSERT INTO `schemes` VALUES (55, 'cid:', '');
INSERT INTO `schemes` VALUES (56, 'crid:', '');
INSERT INTO `schemes` VALUES (57, 'data:', '');
INSERT INTO `schemes` VALUES (58, 'dav:', '');
INSERT INTO `schemes` VALUES (59, 'dict:', '');
INSERT INTO `schemes` VALUES (60, 'dns:', '');
INSERT INTO `schemes` VALUES (61, 'fax:', '');
INSERT INTO `schemes` VALUES (62, 'file:', '');
INSERT INTO `schemes` VALUES (63, 'ftp:', '');
INSERT INTO `schemes` VALUES (64, 'go:', '');
INSERT INTO `schemes` VALUES (65, 'gopher:', '');
INSERT INTO `schemes` VALUES (66, 'h323:', '');
INSERT INTO `schemes` VALUES (67, 'http:', '');
INSERT INTO `schemes` VALUES (68, 'https:', '');
INSERT INTO `schemes` VALUES (69, 'im:', '');
INSERT INTO `schemes` VALUES (70, 'imap:', '');
INSERT INTO `schemes` VALUES (71, 'ldap:', '');
INSERT INTO `schemes` VALUES (72, 'mailto:', '');
INSERT INTO `schemes` VALUES (73, 'mid:', '');
INSERT INTO `schemes` VALUES (74, 'nfs:', '');
INSERT INTO `schemes` VALUES (75, 'nntp:', '');
INSERT INTO `schemes` VALUES (76, 'pop:', '');
INSERT INTO `schemes` VALUES (77, 'pres:', '');
INSERT INTO `schemes` VALUES (78, 'sip:', '');
INSERT INTO `schemes` VALUES (79, 'sips:', '');
INSERT INTO `schemes` VALUES (80, 'snmp:', '');
INSERT INTO `schemes` VALUES (81, 'tel:', '');
INSERT INTO `schemes` VALUES (82, 'telnet:', '');
INSERT INTO `schemes` VALUES (83, 'urn:', '');
INSERT INTO `schemes` VALUES (84, 'wais:', '');
INSERT INTO `schemes` VALUES (85, 'xmpp:', '');

Wow! This should be fun. Looks like there is plenty to test. I'll report anything I find ... eventually.

-clayfox

You might want to take a look at KDEs IO slaves... some fun to be had there:

http://www.portcullis-security.com/329.php