Hi Robert, it works for me on Opera 9.21 (8776) WXP SP2. I was trying to do the same with firefox and it seems to works too.. but you get the "data:text/html" on the beginning of the URL.
here you have a PoC for FF, it works on a 2.0.0.4 version http://www.rzw.com.ar/ff_URL_spoofing.html On 7/14/07, Martin Aberastegue <[EMAIL PROTECTED]> wrote: > Hi Robert, it works for me on Opera 9.21 (8776) WXP SP2. > I was trying to do the same with firefox and it seems to works too.. > but you get the "data:text/html" on the beginning of the URL. > > here you have a PoC for FF, it works on a 2.0.0.4 version > http://www.rzw.com.ar/ff_URL_spoofing.html > > > On 7/13/07, Robert Swiecki <[EMAIL PROTECTED]> wrote: > > With a specially crafted web page, an attacker can redirect > > a www browser to the page, which URL (in the url bar) resembles > > an arbitrary domain choosen by the attacker. > > > > It's possible due to the fact, that some web browsers incorrectly > > display contents of the url bar while rendering pages based on the > > 'data:' URL scheme (RFC 2397). Only the ending of the URL is > > displayed. Padding the URL with whitespaces allows an attacker to > > insert an arbitrary content into the browser url bar. > > > > http://alt.swiecki.net/oper1.html > > > > Tested with: > > * Opera 9.21 on Win 2003SE and Win XPSP2 > > * Opera 9.21 on Linux > > * Konqueror 3.5.7 on Linux > > > > Pictures taken on my systems (using 1024x768 dekstop resolution) > > http://alt.swiecki.net/operalin.png > > http://alt.swiecki.net/operawin.png > > http://alt.swiecki.net/konq.png > > > > Successfull attack depends on the proper construction of the > > 'data:' URL. An algorithm could utilize JS > > document.body.clientWidth/Height properties to calculate the > > best url padding for the given browser. > > > > PS. Sometimes Opera web browser displays the beggining of > > the 'data:' URL (correct behaviour), e.g. during > > browser startup with immediate redirect to the last visited page. > > > > -- > > Robert Swiecki > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > -- > Martin Aberastegue > http://www.rzw.com.ar > -- Martin Aberastegue http://www.rzw.com.ar _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
