WebApp Sec mailing list archives
RE: CSS before redirect
From: "Thomas Schreiber" <ts () secure-net de>
Date: Tue, 9 Sep 2003 11:09:03 +0200
There is a security risk, under some circumstances: it exists a second vulnerability and the client is Mozilla or Firebird (tested with latest version). IE latest version and Opera do not seem vulnerable, others not tested. The additional hole needed often exists if the redirect is not done by the webserver but by some custom script that does not correctly sanitize input. Suppose you enter this: http://somewhere.tld/here?search="></a><script>alert('hello')</script><!--%0 d%0aLocation:%20foo://bar If the custom redirector does not properly handle it, it may rewrite the %0d%0a as it is, i.e. CRLF. Which results in this header: HTTP/1.1 302 Object Moved Location: http://somewhereelse.com/there?search="></a><script>alert('hello')</script>< !-- Location: foo://bar Server: Microsoft-IIS/4.0 Content-Type: text/html The mozilla browsers (perhaps others) overwrite the first 'Location:' by the second. As this (foo://bar) is not a valid URL it takes the body as last resort and the XSS-Code becomes evaluated. Thomas Schreiber - ts () secure-net de SecureNet GmbH, Munich > -----Original Message----- > From: Stephen de Vries [mailto:stephen.devries () dcode net] > Sent: Monday, September 08, 2003 5:33 PM > To: webappsec () securityfocus com > Subject: CSS before redirect > > > > Hi all, > > I'm looking at an application that seems to be vulnerable to CSS attack, > however, the browser keeps following the redirect before running the > script. The request: > > GET /includes?"></a><script>alert('hello')</script> HTTP/1.1 > > Results in the following response: > > HTTP/1.1 302 Object Moved > Location: https://somwhereelse.com > Server: Microsoft-IIS/4.0 > Content-Type: text/html > Content-Length: 123 > > <head><title>Document Moved</title></head> > <body><h1>Object Moved</h1>This document may be found <a > HREF="https://somewhereelse.com/includes/?"></a><script>alert('h > ello')</script>">here</a> > > The CSS injection looks as though it should work, if the browser just > displayed that page, but instead it acts on the redirect immediately > before displaying the page. This happens in both Mozilla 1.4 and IE 6. > Do you think this represents a security risk ? Do older browsers behave > in the same way ? Is it possible to turn this behaviour off ? Does > cologne make the man ? > > > cheers, > > Stephen
Current thread:
- CSS before redirect Stephen de Vries (Sep 08)
- Re: CSS before redirect Jeremiah Grossman (Sep 08)
- Re: CSS before redirect Marc Slemko (Sep 08)
- RE: CSS before redirect Thomas Schreiber (Sep 09)
- Re: CSS before redirect Jeremiah Grossman (Sep 08)