WebApp Sec mailing list archives
Re: XSS?
From: Tom Gallagher <tom () SecurityBugHunter com>
Date: Tue, 15 Nov 2005 04:52:39 -0500
This isn't exactly XSS, since you can't run script. They are taking your data from the 'q' parameter and doing a 302 redirect on it. Like you point out, this causes some confusion and phishers love stuff like this. When you test pages that redirect, good test cases to try are HTTP Splitting (http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf) cases where you attempt to inject CRLFs. Tom Quoting Andrew Chan <quickt () gmail com>:
I tried http://www.google.com/url?q=http://www.microsoft.com and it got directed. it seems that I received one such phishing email that makes use of this to obfuscate the actual URL lately.