Back to list
MSIE7 entrapment again (+ FF tidbit)
Jul 13 2007 10:20PM
Michal Zalewski (lcamtuf dione ids pl)
Microsoft Internet Explorer seems to have a soft spot for browser
entrapment vulnerabilities. Just to recap, in these attacks, the user is
made believe he had left a webpage (and the URL bar or SSL state data
reinforce him in this belief) - but in reality, is prevented from doing
so, and his browser continues to display assorted content originating from
This is a close, but somewhat more sinister relative of vanilla URL bar
spoofing. I reported a few of each kind in the recent months.
Well, here's another one, this time based on document.open() calls. In
essence, repeatedly calling this function after a new URL is entered by
the user, before onBeforeUnload is invoked, inhibits page transition - but
target URL bar state is retained. This is remarkably silly.
A live demo is available here:
That is all.
PS. The promised tidbit - since I'm leaving for a while and won't have
'domainless' cookies by specifying 'domain=.' - for example:
Fortunately/unfortunately, these cookies do not get sent to all sites - no
session fixation - though can be retrieved by other null-domain
periods will be trimmed. Path can be set arbitrarily, with certain
exceptions. Null-domain cookies load properly when stored in cookies.txt.
Q: can this be used in a manner more sinister than merely facilitating
exchange of "markers" between various user-tracking sites?
[ reply ]
Copyright 2010, SecurityFocus