Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How robots and spiders are causing issues, how to stop them. We can also talk about Completely Automated Public Turing Test To Tell Computers And Humans Apart - their use, their compliance issues, porn proxies, PWNtcha and other ways to defeat them. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Spiders, title tag parsing, XSS
Posted by: Ivan
Date: April 06, 2008 06:47AM

Hello everyone,

I put some html pages on my website with special title tag, with hope that I will find some vulns in some spiders. As I know, spiders doesn`t use urls from title tag, in order to spider that pages ?

Anyway, that title tags look like this:

1. <script>window.location = "someurl"</script>
2. <img src="javascript:window.location = 'someurl'">
3. window.location = 'someurl'
4. /img src="javascript:window.location = 'someurl"/

And, two spiders (MSN and accoonabot) visit "someurl", accoonabot with refer from .html page and MSN without any refer. Both of them came from 1st case of title tag.

I`m asking now, is there some vulns in spiders parsing engine ? Is accoonabot redirected with javascript because there is refer or MSN have some vuln in displaying title tag in their "backend" system ?

I now that this test can be better, but I want to hear first yours opinion ...

Thanks,
Ivan

http://www.security-net.biz/



Edited 1 time(s). Last edit at 04/06/2008 01:09PM by Ivan.

Options: ReplyQuote
Re: Spiders, title tag parsing, XSS
Posted by: Malkav
Date: April 07, 2008 06:50AM

there can of course be vulns in spiders parsing engine. and the thought of a attacker controlled major search engine spider is quite chilling...

although without getting our dirty little hands on a spider binary it will prove quite difficult to validate even the simplest buffer overflow.

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

Options: ReplyQuote
Re: Spiders, title tag parsing, XSS
Posted by: Ivan
Date: April 07, 2008 01:40PM

Ok, I know that is hard to validate vuln in spiders but I try this, and I just think that somebody of you have some similar experience ...

http://www.security-net.biz/

Options: ReplyQuote


Sorry, only registered users may post in this forum.