Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Firefox Multi-lined Address Phishing
Posted by: p0deje
Date: December 03, 2009 06:41AM

I was playing around with hackvertor and particularly sirdarckcat encoding. So I found interesting thing, which may be related to phishing.

Key of this thing is that Firefox, when contains special URL in address bar, allows multi-lined URL.

I cannot just copy-paste special URL because it will be filtered.

So, try to do this:
1. Go to http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php#PEBzaXJkYXJja2NhdF90d2l0dGVyX2VuY18wPmFsZXJ0KCk8QC9zaXJkYXJja2NhdF90d2l0dGVyX2VuY18wPg%3D%3D and copy-paste the output.
2. Then go to any site / [output]. For example, www.google.com/[output}
3. Firefox will load normal URL in address bar.
4. Mouse over address bar and scroll down - you will see empty address bar.

I've tested this on Firefox 3.5.5 on Windows and not sure if this reproduces on Linux.

Maybe it's possible to make a special URL that would contain phishing URL on second line? However, it's weird thing.

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Firefox Multi-lined Address Phishing
Posted by: lightos
Date: December 03, 2009 07:53AM

%E2%A4%80 is the character causing the trouble, a whole range of characters seem to have the same effect.
It didn't work for me on linux, but works on FF and Opera running under Windows. Opera actually expands the URL box hehe.
Can't really see this being used for an attack, although I may be wrong.

Options: ReplyQuote
Re: Firefox Multi-lined Address Phishing
Posted by: p0deje
Date: December 03, 2009 08:14AM

for example, we have URL

www.hacksite.com/%E2%A4%80 \r\n
www.phishedsite.com

and if address bar will be scrolled, user will see www.phishedsite.com in address bar and think it's a valid site

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Firefox Multi-lined Address Phishing
Posted by: jackthecoiner
Date: December 03, 2009 06:34PM

Are there particular language packs that need to be required for the scrolling to happen on Windows?

Options: ReplyQuote
Re: Firefox Multi-lined Address Phishing
Posted by: p0deje
Date: December 04, 2009 01:34AM

jackthecoiner Wrote:
-------------------------------------------------------
> Are there particular language packs that need to
> be required for the scrolling to happen on
> Windows?

I think no
You just need Firefox of version 3, which decodes URL to UTF-8

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Firefox Multi-lined Address Phishing
Posted by: SpoofGhost
Date: January 07, 2010 07:52AM

i think this could be used with a redirect, i'm sure there are site's wich are quite good protected but if you can force a redirect with the characters to your phishing site. and they can't see in the url bar that there on the wrong site.
they might think oh i probably have deleted it orso.

so it can be used in an attack not sure what more is possible with this tho

Options: ReplyQuote
Re: Firefox Multi-lined Address Phishing
Posted by: p0deje
Date: January 15, 2010 05:36AM

problem is that it's impossible to make urlbar scroll down without user manipulation

---------
http://p0deje.blogspot.com

Options: ReplyQuote


Sorry, only registered users may post in this forum.