Main Archive Page > Month Archives  > websecurity archives

RE: [WEB SECURITY] JS parsing in 3xx HTTP responses?

From: Hoffman, Billy <billy.hoffman_at_nospam>
Date: Mon Nov 05 2007 - 13:40:20 GMT
To: Amit Klein <aksecurity@gmail.com>, Achim Hoffmann <webappsec@securenet.de>

Hmmmmm. I'm thinking there could be other ways to control the page even if they have JavaScript turned off. Sure you can't execute code but you might still be able to control the content of the webpage.

Consider this situation:

http://site.com/redirect.php?url=http://other.com/

This gives you a 200 OK with a <META> refresh to the value in the parameter url. The app filters accordingly and there is no way to escape the attribute of the meta tag.

Perhaps you could use a data: URI and rewrite the page. I seem to remember Robert doing some work in this area.

Billy

-----Original Message-----
From: Amit Klein [mailto:aksecurity@gmail.com] Sent: Sunday, November 04, 2007 2:04 PM
To: Achim Hoffmann
Cc: WASC Forum
Subject: Re: [WEB SECURITY] JS parsing in 3xx HTTP responses?

Achim Hoffmann wrote:
> just another discussion about it
> http://ilia.ws/archives/152-Cross-Domain-POST-Redirection.html
>

I'm kind of missing the point here - does this have something to do with browser parsing of 3xx responses?
At any rate, I don't understand why that write-up is of interest (besides mentioning the lesser known 307 response). If I can respond with 307, I can probably just the same respond with an HTML page, containing a POST form and a piece of JS code to automatically submit the form. Unless the user runs sans JS, but then their own exploit scenario (XSS) won't work...

---

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

---

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

• This message: [ Message body ]
• Next message: Anurag Agarwal: "[WEB SECURITY] Seeking questions for Panel discussion on website vulnerability disclosure during OWASP-WASC AppSec Conference on Nov 15"
• Previous message: £ukasz Pilorz: "Re: [WEB SECURITY] JS parsing in 3xx HTTP responses?"
• In reply to: Amit Klein: "Re: [WEB SECURITY] JS parsing in 3xx HTTP responses?"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]